Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report uIsv6VTOek

Overview

General Information

Sample Name:uIsv6VTOek (renamed file extension from none to exe)
Analysis ID:405975
MD5:3ee16bbc971bceb22c5ea3b79f8f711d
SHA1:f20112dd192c7ec6fbf1a3772769c833f60433b7
SHA256:982a1c7af717a51a2b5a661b7e4d0e0d63565e80e9a74e76b33fe416076ee86b
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality to delete services
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Yara signature match

Classification

Startup

  • System is w10x64
  • uIsv6VTOek.exe (PID: 5936 cmdline: 'C:\Users\user\Desktop\uIsv6VTOek.exe' MD5: 3EE16BBC971BCEB22C5EA3B79F8F711D)
    • uIsv6VTOek.exe (PID: 5980 cmdline: C:\Users\user\Desktop\uIsv6VTOek.exe MD5: 3EE16BBC971BCEB22C5EA3B79F8F711D)
  • hyperlanes.exe (PID: 3040 cmdline: C:\Windows\SysWOW64\hyperlanes.exe MD5: 3EE16BBC971BCEB22C5EA3B79F8F711D)
    • hyperlanes.exe (PID: 3468 cmdline: C:\Windows\SysWOW64\hyperlanes.exe MD5: 3EE16BBC971BCEB22C5EA3B79F8F711D)
  • svchost.exe (PID: 6024 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1268 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5844 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5656 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4088 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5344 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1740 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 484 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 3652 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5560 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 1004 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 1000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6504 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6596 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6904 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1291468406.0000000000D11000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000006.00000002.1291468406.0000000000D11000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0x5990:$snippet4: 33 C0 C7 05 80 A8 D1 00 00 A0 D1 00 C7 05 84 A8 D1 00 00 A0 D1 00 A3 88 A8 D1 00 A3 8C A8 D1 00 ...
    00000004.00000002.246701559.00000000005B1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.246701559.00000000005B1000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0x5990:$snippet4: 33 C0 C7 05 80 A8 5B 00 00 A0 5B 00 C7 05 84 A8 5B 00 00 A0 5B 00 A3 88 A8 5B 00 A3 8C A8 5B 00 ...
      00000000.00000002.233356991.00000000005B1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.uIsv6VTOek.exe.5b0000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          4.2.uIsv6VTOek.exe.5b0000.3.unpackEmotetEmotet Payloadkevoreilly
          • 0x5d90:$snippet4: 33 C0 C7 05 80 A8 5B 00 00 A0 5B 00 C7 05 84 A8 5B 00 00 A0 5B 00 A3 88 A8 5B 00 A3 8C A8 5B 00 ...
          0.2.uIsv6VTOek.exe.5b0000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            0.2.uIsv6VTOek.exe.5b0000.3.unpackEmotetEmotet Payloadkevoreilly
            • 0x5d90:$snippet4: 33 C0 C7 05 80 A8 5B 00 00 A0 5B 00 C7 05 84 A8 5B 00 00 A0 5B 00 A3 88 A8 5B 00 A3 8C A8 5B 00 ...
            6.2.hyperlanes.exe.d10000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              Click to see the 3 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: uIsv6VTOek.exeAvira: detected
              Multi AV Scanner detection for submitted fileShow sources
              Source: uIsv6VTOek.exeReversingLabs: Detection: 96%
              Machine Learning detection for sampleShow sources
              Source: uIsv6VTOek.exeJoe Sandbox ML: detected
              Source: 4.0.uIsv6VTOek.exe.400000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen8
              Source: 0.2.uIsv6VTOek.exe.400000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen8
              Source: 5.0.hyperlanes.exe.400000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen8
              Source: 6.2.hyperlanes.exe.400000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen8
              Source: 5.2.hyperlanes.exe.400000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen8
              Source: 4.2.uIsv6VTOek.exe.400000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen8
              Source: 0.0.uIsv6VTOek.exe.400000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen8
              Source: 6.0.hyperlanes.exe.400000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen8
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D12195 CryptImportKey,LocalFree,CryptReleaseContext,
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D12336 CryptDestroyHash,
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D12435 CryptVerifySignatureW,CryptDestroyHash,
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D12129 CryptGetHashParam,
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D122A6 CryptDuplicateHash,
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D12261 CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,
              Source: uIsv6VTOek.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
              Source: Binary string: QHB_irffzme.pdb source: uIsv6VTOek.exe
              Source: unknownNetwork traffic detected: IP country count 11
              Source: global trafficTCP traffic: 192.168.2.3:49713 -> 70.182.77.184:8090
              Source: global trafficTCP traffic: 192.168.2.3:49737 -> 189.236.94.20:995
              Source: global trafficTCP traffic: 192.168.2.3:49740 -> 66.76.26.33:8080
              Source: global trafficTCP traffic: 192.168.2.3:49753 -> 46.4.100.178:8080
              Source: global trafficTCP traffic: 192.168.2.3:49754 -> 23.239.2.11:8080
              Source: global trafficTCP traffic: 192.168.2.3:49756 -> 70.184.125.132:8080
              Source: global trafficTCP traffic: 192.168.2.3:49763 -> 184.180.177.28:8080
              Source: global trafficTCP traffic: 192.168.2.3:49764 -> 164.160.161.118:8080
              Source: global trafficTCP traffic: 192.168.2.3:49766 -> 71.244.60.231:4143
              Source: global trafficTCP traffic: 192.168.2.3:49767 -> 121.50.43.110:8080
              Source: global trafficTCP traffic: 192.168.2.3:49771 -> 78.47.182.42:8080
              Source: global trafficTCP traffic: 192.168.2.3:49773 -> 72.45.212.62:8080
              Source: global trafficTCP traffic: 192.168.2.3:49774 -> 178.62.103.94:8080
              Source: Joe Sandbox ViewIP Address: 69.17.170.58 69.17.170.58
              Source: global trafficTCP traffic: 192.168.2.3:49724 -> 69.17.170.58:80
              Source: global trafficTCP traffic: 192.168.2.3:49731 -> 47.188.131.94:443
              Source: global trafficTCP traffic: 192.168.2.3:49741 -> 24.217.117.217:80
              Source: global trafficTCP traffic: 192.168.2.3:49752 -> 110.143.116.201:80
              Source: global trafficTCP traffic: 192.168.2.3:49755 -> 206.210.104.194:80
              Source: global trafficTCP traffic: 192.168.2.3:49757 -> 177.99.167.185:443
              Source: global trafficTCP traffic: 192.168.2.3:49765 -> 194.88.246.242:443
              Source: unknownTCP traffic detected without corresponding DNS query: 70.182.77.184
              Source: unknownTCP traffic detected without corresponding DNS query: 70.182.77.184
              Source: unknownTCP traffic detected without corresponding DNS query: 70.182.77.184
              Source: unknownTCP traffic detected without corresponding DNS query: 69.17.170.58
              Source: unknownTCP traffic detected without corresponding DNS query: 69.17.170.58
              Source: unknownTCP traffic detected without corresponding DNS query: 69.17.170.58
              Source: unknownTCP traffic detected without corresponding DNS query: 47.188.131.94
              Source: unknownTCP traffic detected without corresponding DNS query: 47.188.131.94
              Source: unknownTCP traffic detected without corresponding DNS query: 47.188.131.94
              Source: unknownTCP traffic detected without corresponding DNS query: 189.236.94.20
              Source: unknownTCP traffic detected without corresponding DNS query: 189.236.94.20
              Source: unknownTCP traffic detected without corresponding DNS query: 189.236.94.20
              Source: unknownTCP traffic detected without corresponding DNS query: 66.76.26.33
              Source: unknownTCP traffic detected without corresponding DNS query: 66.76.26.33
              Source: unknownTCP traffic detected without corresponding DNS query: 66.76.26.33
              Source: unknownTCP traffic detected without corresponding DNS query: 24.217.117.217
              Source: unknownTCP traffic detected without corresponding DNS query: 24.217.117.217
              Source: unknownTCP traffic detected without corresponding DNS query: 24.217.117.217
              Source: unknownTCP traffic detected without corresponding DNS query: 46.4.100.178
              Source: unknownTCP traffic detected without corresponding DNS query: 46.4.100.178
              Source: unknownTCP traffic detected without corresponding DNS query: 46.4.100.178
              Source: unknownTCP traffic detected without corresponding DNS query: 23.239.2.11
              Source: unknownTCP traffic detected without corresponding DNS query: 23.239.2.11
              Source: unknownTCP traffic detected without corresponding DNS query: 23.239.2.11
              Source: unknownTCP traffic detected without corresponding DNS query: 70.184.125.132
              Source: unknownTCP traffic detected without corresponding DNS query: 70.184.125.132
              Source: unknownTCP traffic detected without corresponding DNS query: 70.184.125.132
              Source: unknownTCP traffic detected without corresponding DNS query: 177.99.167.185
              Source: unknownTCP traffic detected without corresponding DNS query: 177.99.167.185
              Source: unknownTCP traffic detected without corresponding DNS query: 177.99.167.185
              Source: unknownTCP traffic detected without corresponding DNS query: 184.180.177.28
              Source: unknownTCP traffic detected without corresponding DNS query: 184.180.177.28
              Source: unknownTCP traffic detected without corresponding DNS query: 184.180.177.28
              Source: unknownTCP traffic detected without corresponding DNS query: 164.160.161.118
              Source: unknownTCP traffic detected without corresponding DNS query: 164.160.161.118
              Source: unknownTCP traffic detected without corresponding DNS query: 164.160.161.118
              Source: unknownTCP traffic detected without corresponding DNS query: 194.88.246.242
              Source: unknownTCP traffic detected without corresponding DNS query: 194.88.246.242
              Source: unknownTCP traffic detected without corresponding DNS query: 194.88.246.242
              Source: unknownTCP traffic detected without corresponding DNS query: 71.244.60.231
              Source: unknownTCP traffic detected without corresponding DNS query: 71.244.60.231
              Source: unknownTCP traffic detected without corresponding DNS query: 71.244.60.231
              Source: unknownTCP traffic detected without corresponding DNS query: 121.50.43.110
              Source: unknownTCP traffic detected without corresponding DNS query: 121.50.43.110
              Source: unknownTCP traffic detected without corresponding DNS query: 121.50.43.110
              Source: unknownTCP traffic detected without corresponding DNS query: 76.72.225.30
              Source: unknownTCP traffic detected without corresponding DNS query: 76.72.225.30
              Source: unknownTCP traffic detected without corresponding DNS query: 76.72.225.30
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.182.42
              Source: unknownTCP traffic detected without corresponding DNS query: 78.47.182.42
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D116D8 InternetReadFile,
              Source: svchost.exe, 00000023.00000003.579563921.0000020499F56000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
              Source: svchost.exe, 00000023.00000003.579563921.0000020499F56000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
              Source: svchost.exe, 00000023.00000003.579563921.0000020499F56000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-30T08:54:20.0245879Z||.||30098e0e-d5e1-4db9-a557-65675adc3d26||1152921505693441693||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
              Source: svchost.exe, 00000023.00000003.579563921.0000020499F56000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-30T08:54:20.0245879Z||.||30098e0e-d5e1-4db9-a557-65675adc3d26||1152921505693441693||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
              Source: svchost.exe, 00000023.00000003.579563921.0000020499F56000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI",U6 equals www.facebook.com (Facebook)
              Source: svchost.exe, 00000023.00000003.579563921.0000020499F56000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI",U6 equals www.twitter.com (Twitter)
              Source: svchost.exe, 00000023.00000003.572480008.0000020499F76000.00000004.00000001.sdmpString found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-28T14:19:25.9172986Z||.||2e8b091b-9a79-4b36-a1ad-1238cc769fa9||1152921505693355901||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-28T14:18:40.1620745Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
              Source: svchost.exe, 00000023.00000003.569460119.0000020499F65000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
              Source: svchost.exe, 00000023.00000003.569460119.0000020499F65000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
              Source: svchost.exe, 00000023.00000003.569460119.0000020499F65000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
              Source: svchost.exe, 00000023.00000003.569472732.0000020499F54000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":478335559,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.41.4100.0_neutral_~_ytsefhwckbdv6","PackageId":"315cf6c7-aa45-c12f-d8c7-d4d106ed45fc-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.41.4100.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.41.4100.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
              Source: svchost.exe, 00000023.00000003.569472732.0000020499F54000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":478335559,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.41.4100.0_neutral_~_ytsefhwckbdv6","PackageId":"315cf6c7-aa45-c12f-d8c7-d4d106ed45fc-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.41.4100.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.41.4100.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
              Source: svchost.exe, 00000023.00000003.569472732.0000020499F54000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":478335559,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.41.4100.0_neutral_~_ytsefhwckbdv6","PackageId":"315cf6c7-aa45-c12f-d8c7-d4d106ed45fc-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.41.4100.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.41.4100.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
              Source: svchost.exe, 00000023.00000003.569441527.000002049A402000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
              Source: svchost.exe, 00000023.00000003.569441527.000002049A402000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
              Source: svchost.exe, 00000023.00000003.569441527.000002049A402000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
              Source: svchost.exe, 00000023.00000003.572538679.0000020499F54000.00000004.00000001.sdmpString found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-28T14:19:25.9172986Z||.||2e8b091b-9a79-4b36-a1ad-1238cc769fa9||1152921505693355901||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-28T14:18:40.1620745Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
              Source: svchost.exe, 00000023.00000003.572458259.0000020499F65000.00000004.00000001.sdmpString found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-28T14:19:25.9172986Z||.||2e8b091b-9a79-4b36-a1ad-1238cc769fa9||1152921505693355901||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-28T14:18:40.1620745Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
              Source: svchost.exe, 00000023.00000003.572538679.0000020499F54000.00000004.00000001.sdmpString found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":140842379,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_970.11.116.0_x64__8xx8rvfyw5nnt","PackageId":"7f326ffb-6d38-0c43-2776-11d49b129880-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_970.11.116.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.bac
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://108.170.54.171:8080/
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://108.170.54.171:8080/%
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://108.170.54.171:8080/103.94:8080/
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://108.170.54.171:8080/8j#
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://108.170.54.171:8080/M
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://108.170.54.171:8080/N
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://110.143.116.201/wshqos.dll
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://121.50.43.110:8080/
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://164.160.161.118:8080/
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://164.160.161.118:8080/$
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://164.160.161.118:8080/)Bo
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://178.62.103.94:8080/
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://178.62.103.94:8080/60.231:4143/E
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://178.62.103.94:8080/I(s
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://184.180.177.28:8080/
              Source: hyperlanes.exe, 00000006.00000003.481688344.00000000007A1000.00000004.00000001.sdmpString found in binary or memory: http://189.236.94.20:995/
              Source: hyperlanes.exe, 00000006.00000003.481688344.00000000007A1000.00000004.00000001.sdmpString found in binary or memory: http://189.236.94.20:995/m#
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://194.88.246.242:443/
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://194.88.246.242:443/.177.28:8080/m
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://194.88.246.242:443/;(
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://206.210.104.194/A
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://23.239.2.11:808/
              Source: hyperlanes.exe, 00000006.00000003.365988326.00000000007A1000.00000004.00000001.sdmpString found in binary or memory: http://47.188.131.94:443/
              Source: hyperlanes.exe, 00000006.00000003.365988326.00000000007A1000.00000004.00000001.sdmpString found in binary or memory: http://69.17.170.58/
              Source: hyperlanes.exe, 00000006.00000003.365988326.00000000007A1000.00000004.00000001.sdmpString found in binary or memory: http://69.17.170.58/E
              Source: hyperlanes.exe, 00000006.00000003.365988326.00000000007A1000.00000004.00000001.sdmpString found in binary or memory: http://69.17.170.58/v
              Source: hyperlanes.exe, 00000006.00000003.365988326.00000000007A1000.00000004.00000001.sdmpString found in binary or memory: http://70.182.77.184:8090/
              Source: hyperlanes.exe, 00000006.00000003.365988326.00000000007A1000.00000004.00000001.sdmpString found in binary or memory: http://70.182.77.184:8090/=#
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://70.182.77.184:8090/sw
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://70.184.125.132:8080/B
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://71.244.60.231:4143/
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://71.244.60.231:4143/V#
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://72.45.212.62:8080/
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://72.45.212.62:8080/-
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://72.45.212.62:8080/c(
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://76.72.225.30:465/
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://76.72.225.30:465//
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://76.72.225.30:465/0/u
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://78.47.182.42:8080/
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpString found in binary or memory: http://78.47.182.42:8080/4Y#
              Source: svchost.exe, 00000026.00000003.1149031459.0000024EB8814000.00000004.00000001.sdmpString found in binary or memory: http://Passport.NET/tbpose
              Source: svchost.exe, 00000026.00000003.1148434421.0000024EB7A6F000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: svchost.exe, 00000023.00000003.579563921.0000020499F56000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: svchost.exe, 00000026.00000002.1296740233.0000024EB884A000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
              Source: svchost.exe, 00000026.00000003.1148434421.0000024EB7A6F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: svchost.exe, 00000023.00000003.579563921.0000020499F56000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: svchost.exe, 00000026.00000002.1296740233.0000024EB884A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertSHA2SecureServerCA.crl0=
              Source: svchost.exe, 00000009.00000002.598917337.0000022A76616000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: svchost.exe, 00000026.00000003.1148434421.0000024EB7A6F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: svchost.exe, 00000023.00000003.579563921.0000020499F56000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: svchost.exe, 00000026.00000002.1296740233.0000024EB884A000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertSHA2SecureServerCA.crl0
              Source: svchost.exe, 00000026.00000003.828708979.0000024EB8369000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.823451637.0000024EB8357000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
              Source: svchost.exe, 00000026.00000003.823424802.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdN
              Source: svchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes
              Source: svchost.exe, 00000026.00000003.825689349.0000024EB832A000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdng
              Source: svchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
              Source: svchost.exe, 00000026.00000003.1148330747.0000024EB8307000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmldsi
              Source: svchost.exe, 00000026.00000003.827937050.0000024EB7A8E000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
              Source: svchost.exe, 00000026.00000003.823424802.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdp://s
              Source: svchost.exe, 00000026.00000003.825689349.0000024EB832A000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdptedD
              Source: svchost.exe, 00000026.00000003.825689349.0000024EB832A000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds/SO
              Source: svchost.exe, 00000026.00000003.1148492415.0000024EB7A33000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-s
              Source: svchost.exe, 00000026.00000003.827937050.0000024EB7A8E000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
              Source: svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8
              Source: svchost.exe, 00000023.00000003.579563921.0000020499F56000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.1148434421.0000024EB7A6F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: svchost.exe, 00000009.00000002.598917337.0000022A76616000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: svchost.exe, 00000026.00000002.1296740233.0000024EB884A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0H
              Source: svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootCA.crlhttp://crl4.digicert.com/Di
              Source: svchost.exe, 00000009.00000003.597980704.0000022A76608000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
              Source: svchost.exe, 00000026.00000002.1291561550.0000024EB7A7E000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.1148397347.0000024EB8819000.00000004.00000001.sdmpString found in binary or memory: http://passport.net/tb
              Source: svchost.exe, 00000026.00000003.1148330747.0000024EB8307000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mi
              Source: svchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
              Source: svchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
              Source: svchost.exe, 00000026.00000003.1148346365.0000024EB8381000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyr
              Source: svchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
              Source: svchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/schc=c
              Source: svchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
              Source: svchost.exe, 00000026.00000003.1146946999.0000024EB8356000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.825784373.0000024EB832F000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.827918169.0000024EB832F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
              Source: svchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue
              Source: svchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.827937050.0000024EB7A8E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
              Source: svchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
              Source: svchost.exe, 00000010.00000002.312434670.000002A771413000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
              Source: svchost.exe, 00000026.00000002.1296740233.0000024EB884A000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0~
              Source: svchost.exe, 00000023.00000003.569441527.000002049A402000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.569460119.0000020499F65000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.569472732.0000020499F54000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
              Source: svchost.exe, 00000023.00000003.569441527.000002049A402000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.569460119.0000020499F65000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.569472732.0000020499F54000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
              Source: svchost.exe, 00000026.00000003.826341450.0000024EB8358000.00000004.00000001.sdmpString found in binary or memory: http://www.w3.o
              Source: svchost.exe, 0000000E.00000002.1290004272.000002997EE3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
              Source: svchost.exe, 0000000E.00000002.1290004272.000002997EE3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
              Source: svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601R
              Source: svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
              Source: svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
              Source: svchost.exe, 00000026.00000003.821214824.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
              Source: svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600;
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
              Source: svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601y0
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
              Source: svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603N
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
              Source: svchost.exe, 00000026.00000003.821214824.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821469527.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/msangcwam
              Source: svchost.exe, 0000000E.00000002.1290004272.000002997EE3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
              Source: svchost.exe, 00000010.00000003.311886865.000002A771460000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
              Source: svchost.exe, 0000000E.00000002.1290004272.000002997EE3E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
              Source: svchost.exe, 0000000E.00000002.1290004272.000002997EE3E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
              Source: svchost.exe, 00000023.00000003.578478684.0000020499F6C000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.578518826.0000020499F88000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
              Source: svchost.exe, 00000023.00000003.578478684.0000020499F6C000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.578518826.0000020499F88000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
              Source: svchost.exe, 00000010.00000003.311935000.000002A77144B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 00000010.00000003.311886865.000002A771460000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
              Source: svchost.exe, 00000010.00000002.312477867.000002A77143E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
              Source: svchost.exe, 00000010.00000003.311886865.000002A771460000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
              Source: svchost.exe, 00000010.00000003.311901127.000002A77144D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: svchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
              Source: svchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
              Source: svchost.exe, 00000010.00000002.312477867.000002A77143E000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
              Source: svchost.exe, 00000010.00000003.311886865.000002A771460000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
              Source: svchost.exe, 00000010.00000003.311886865.000002A771460000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
              Source: svchost.exe, 00000010.00000003.311886865.000002A771460000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
              Source: svchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
              Source: svchost.exe, 00000010.00000003.312062878.000002A771441000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
              Source: svchost.exe, 00000010.00000003.312062878.000002A771441000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
              Source: svchost.exe, 00000010.00000003.311886865.000002A771460000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
              Source: svchost.exe, 00000010.00000002.312490057.000002A771447000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
              Source: svchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
              Source: svchost.exe, 00000010.00000003.311935000.000002A77144B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
              Source: svchost.exe, 00000010.00000002.312490057.000002A771447000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
              Source: svchost.exe, 00000010.00000002.312490057.000002A771447000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
              Source: svchost.exe, 00000010.00000003.311901127.000002A77144D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.311935000.000002A77144B000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.312062878.000002A771441000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
              Source: svchost.exe, 00000010.00000003.311886865.000002A771460000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
              Source: svchost.exe, 00000010.00000002.312477867.000002A77143E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: svchost.exe, 00000023.00000003.578478684.0000020499F6C000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.578518826.0000020499F88000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
              Source: svchost.exe, 00000023.00000003.569441527.000002049A402000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.569460119.0000020499F65000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.569472732.0000020499F54000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
              Source: svchost.exe, 00000026.00000002.1292020704.0000024EB7AD4000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
              Source: svchost.exe, 00000026.00000003.821292620.0000024EB8355000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821469527.0000024EB8329000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
              Source: svchost.exe, 00000026.00000003.821519879.0000024EB836C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
              Source: svchost.exe, 00000026.00000003.821519879.0000024EB836C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
              Source: svchost.exe, 00000026.00000003.821642770.0000024EB836E000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.1291363879.0000024EB7A5E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
              Source: svchost.exe, 00000026.00000003.821469527.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
              Source: svchost.exe, 00000026.00000003.821292620.0000024EB8355000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821469527.0000024EB8329000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
              Source: svchost.exe, 00000026.00000002.1291363879.0000024EB7A5E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srfN
              Source: svchost.exe, 00000026.00000003.821292620.0000024EB8355000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821469527.0000024EB8329000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
              Source: svchost.exe, 00000026.00000002.1291880861.0000024EB7AB2000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.827884824.0000024EB7B02000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.1292137690.0000024EB7AFC000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/RST2.srf
              Source: svchost.exe, 00000026.00000002.1291363879.0000024EB7A5E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/RST2.srf2926
              Source: svchost.exe, 00000026.00000003.827884824.0000024EB7B02000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/didtou.srf
              Source: svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
              Source: svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
              Source: svchost.exe, 00000026.00000003.827884824.0000024EB7B02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/Device
              Source: svchost.exe, 00000026.00000003.821519879.0000024EB836C000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.827884824.0000024EB7B02000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
              Source: svchost.exe, 00000026.00000003.821519879.0000024EB836C000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.827884824.0000024EB7B02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
              Source: svchost.exe, 00000026.00000002.1291363879.0000024EB7A5E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfuer
              Source: svchost.exe, 00000026.00000003.821292620.0000024EB8355000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.827884824.0000024EB7B02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
              Source: svchost.exe, 00000026.00000003.821642770.0000024EB836E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
              Source: svchost.exe, 00000026.00000003.821642770.0000024EB836E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
              Source: svchost.exe, 00000026.00000003.821292620.0000024EB8355000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821469527.0000024EB8329000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
              Source: svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cplive.com
              Source: svchost.exe, 00000026.00000003.821642770.0000024EB836E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
              Source: svchost.exe, 00000026.00000003.821642770.0000024EB836E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
              Source: svchost.exe, 00000026.00000002.1291363879.0000024EB7A5E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srfr
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
              Source: svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601Ct
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
              Source: svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=806030
              Source: svchost.exe, 00000026.00000003.821214824.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
              Source: svchost.exe, 00000026.00000003.821642770.0000024EB836E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
              Source: svchost.exe, 00000026.00000003.821223974.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
              Source: svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806010
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
              Source: svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
              Source: svchost.exe, 00000026.00000003.821214824.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
              Source: svchost.exe, 00000026.00000003.821214824.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
              Source: svchost.exe, 00000026.00000003.821214824.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
              Source: svchost.exe, 00000026.00000003.821214824.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
              Source: svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
              Source: svchost.exe, 00000026.00000003.821223974.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
              Source: svchost.exe, 00000026.00000003.821214824.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
              Source: svchost.exe, 00000026.00000003.821292620.0000024EB8355000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
              Source: svchost.exe, 00000026.00000003.821292620.0000024EB8355000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.827884824.0000024EB7B02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
              Source: svchost.exe, 00000026.00000003.827884824.0000024EB7B02000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.1291363879.0000024EB7A5E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.827884824.0000024EB7B02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
              Source: svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.827884824.0000024EB7B02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
              Source: svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf0
              Source: svchost.exe, 00000026.00000003.827884824.0000024EB7B02000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
              Source: svchost.exe, 00000026.00000003.821469527.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/retention.srf
              Source: svchost.exe, 00000026.00000002.1291687226.0000024EB7A8F000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.827937050.0000024EB7A8E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
              Source: svchost.exe, 00000026.00000003.821469527.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
              Source: svchost.exe, 00000010.00000002.312477867.000002A77143E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
              Source: svchost.exe, 00000010.00000002.312477867.000002A77143E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.312434670.000002A771413000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
              Source: svchost.exe, 00000010.00000003.312053370.000002A771445000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
              Source: svchost.exe, 00000010.00000003.312053370.000002A771445000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
              Source: svchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
              Source: svchost.exe, 00000010.00000003.312080924.000002A77143A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
              Source: svchost.exe, 00000010.00000002.312449752.000002A771424000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
              Source: svchost.exe, 00000023.00000003.578478684.0000020499F6C000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.578518826.0000020499F88000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
              Source: svchost.exe, 00000023.00000003.578478684.0000020499F6C000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.578518826.0000020499F88000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
              Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443

              E-Banking Fraud:

              barindex
              Yara detected EmotetShow sources
              Source: Yara matchFile source: 00000006.00000002.1291468406.0000000000D11000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.246701559.00000000005B1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.233356991.00000000005B1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.245530482.00000000005B1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 4.2.uIsv6VTOek.exe.5b0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.uIsv6VTOek.exe.5b0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.hyperlanes.exe.d10000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.hyperlanes.exe.5b0000.3.unpack, type: UNPACKEDPE
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D12195 CryptImportKey,LocalFree,CryptReleaseContext,

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000006.00000002.1291468406.0000000000D11000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: 00000004.00000002.246701559.00000000005B1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: 00000000.00000002.233356991.00000000005B1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: 00000005.00000002.245530482.00000000005B1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: 4.2.uIsv6VTOek.exe.5b0000.3.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: 0.2.uIsv6VTOek.exe.5b0000.3.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: 6.2.hyperlanes.exe.d10000.3.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: 5.2.hyperlanes.exe.5b0000.3.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D180BC _snwprintf,OpenServiceW,DeleteService,CloseServiceHandle,
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D11F76 CreateProcessAsUserW,
              Source: C:\Windows\SysWOW64\hyperlanes.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
              Source: C:\Users\user\Desktop\uIsv6VTOek.exeFile deleted: C:\Windows\SysWOW64\hyperlanes.exe:Zone.IdentifierJump to behavior
              Source: uIsv6VTOek.exeBinary or memory string: OriginalFilename vs uIsv6VTOek.exe
              Source: uIsv6VTOek.exe, 00000000.00000000.206704369.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHWMonitor.exeN vs uIsv6VTOek.exe
              Source: uIsv6VTOek.exe, 00000004.00000002.246897134.00000000022A0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs uIsv6VTOek.exe
              Source: uIsv6VTOek.exe, 00000004.00000002.246897134.00000000022A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs uIsv6VTOek.exe
              Source: uIsv6VTOek.exe, 00000004.00000002.246550303.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHWMonitor.exeN vs uIsv6VTOek.exe
              Source: uIsv6VTOek.exe, 00000004.00000002.247351284.0000000002820000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs uIsv6VTOek.exe
              Source: uIsv6VTOek.exeBinary or memory string: OriginalFilenameHWMonitor.exeN vs uIsv6VTOek.exe
              Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
              Source: uIsv6VTOek.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
              Source: 00000006.00000002.1291468406.0000000000D11000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 00000004.00000002.246701559.00000000005B1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 00000000.00000002.233356991.00000000005B1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 00000005.00000002.245530482.00000000005B1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 4.2.uIsv6VTOek.exe.5b0000.3.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 0.2.uIsv6VTOek.exe.5b0000.3.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 6.2.hyperlanes.exe.d10000.3.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 5.2.hyperlanes.exe.5b0000.3.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: uIsv6VTOek.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_SECURITY size: 0x40 address: 0x0
              Source: classification engineClassification label: mal88.troj.evad.winEXE@22/9@0/23
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D181DF ChangeServiceConfig2W,
              Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
              Source: C:\Windows\SysWOW64\hyperlanes.exeMutant created: \BaseNamedObjects\Global\I6A32775D
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1000:120:WilError_01
              Source: uIsv6VTOek.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\uIsv6VTOek.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\uIsv6VTOek.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: uIsv6VTOek.exeReversingLabs: Detection: 96%
              Source: unknownProcess created: C:\Users\user\Desktop\uIsv6VTOek.exe 'C:\Users\user\Desktop\uIsv6VTOek.exe'
              Source: C:\Users\user\Desktop\uIsv6VTOek.exeProcess created: C:\Users\user\Desktop\uIsv6VTOek.exe C:\Users\user\Desktop\uIsv6VTOek.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\hyperlanes.exe C:\Windows\SysWOW64\hyperlanes.exe
              Source: C:\Windows\SysWOW64\hyperlanes.exeProcess created: C:\Windows\SysWOW64\hyperlanes.exe C:\Windows\SysWOW64\hyperlanes.exe
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
              Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
              Source: C:\Users\user\Desktop\uIsv6VTOek.exeProcess created: C:\Users\user\Desktop\uIsv6VTOek.exe C:\Users\user\Desktop\uIsv6VTOek.exe
              Source: C:\Windows\SysWOW64\hyperlanes.exeProcess created: C:\Windows\SysWOW64\hyperlanes.exe C:\Windows\SysWOW64\hyperlanes.exe
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
              Source: C:\Users\user\Desktop\uIsv6VTOek.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
              Source: uIsv6VTOek.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: QHB_irffzme.pdb source: uIsv6VTOek.exe

              Persistence and Installation Behavior:

              barindex
              Drops executables to the windows directory (C:\Windows) and starts themShow sources
              Source: C:\Windows\SysWOW64\hyperlanes.exeExecutable created and started: C:\Windows\SysWOW64\hyperlanes.exe
              Source: C:\Users\user\Desktop\uIsv6VTOek.exePE file moved: C:\Windows\SysWOW64\hyperlanes.exeJump to behavior
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D181F7 StartServiceW,CloseServiceHandle,CloseServiceHandle,

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\uIsv6VTOek.exeFile opened: C:\Windows\SysWOW64\hyperlanes.exe:Zone.Identifier read attributes | delete
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\uIsv6VTOek.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: EnumServicesStatusExW,GetLastError,
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: EnumServicesStatusExW,GetTickCount,OpenServiceW,
              Source: C:\Windows\System32\svchost.exe TID: 3252Thread sleep time: -30000s >= -30000s
              Source: C:\Windows\System32\svchost.exe TID: 3252Thread sleep time: -30000s >= -30000s
              Source: C:\Windows\System32\svchost.exe TID: 4232Thread sleep time: -180000s >= -30000s
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\uIsv6VTOek.exeFile Volume queried: C:\ FullSizeInformation
              Source: svchost.exe, 00000007.00000002.263326660.000001B642140000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.307334251.0000027B4BB40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.1293837629.000002997FB40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.332152706.0000024DEF680000.00000002.00000001.sdmp, svchost.exe, 00000023.00000002.601972028.000002049A600000.00000002.00000001.sdmp, svchost.exe, 00000026.00000002.1292412373.0000024EB8090000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWP
              Source: svchost.exe, 00000009.00000002.599030099.0000022A76662000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
              Source: hyperlanes.exe, 00000006.00000003.365988326.00000000007A1000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.599007749.0000022A7664B000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.600405322.0000020499671000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.1148492415.0000024EB7A33000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
              Source: svchost.exe, 0000000C.00000002.1290152378.0000028060602000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
              Source: svchost.exe, 00000007.00000002.263326660.000001B642140000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.307334251.0000027B4BB40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.1293837629.000002997FB40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.332152706.0000024DEF680000.00000002.00000001.sdmp, svchost.exe, 00000023.00000002.601972028.000002049A600000.00000002.00000001.sdmp, svchost.exe, 00000026.00000002.1292412373.0000024EB8090000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: svchost.exe, 00000007.00000002.263326660.000001B642140000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.307334251.0000027B4BB40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.1293837629.000002997FB40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.332152706.0000024DEF680000.00000002.00000001.sdmp, svchost.exe, 00000023.00000002.601972028.000002049A600000.00000002.00000001.sdmp, svchost.exe, 00000026.00000002.1292412373.0000024EB8090000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: svchost.exe, 0000000C.00000002.1290272167.000002806063E000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.1290050616.000002997EE69000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.932778840.0000023A1A629000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: svchost.exe, 00000007.00000002.263326660.000001B642140000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.307334251.0000027B4BB40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.1293837629.000002997FB40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.332152706.0000024DEF680000.00000002.00000001.sdmp, svchost.exe, 00000023.00000002.601972028.000002049A600000.00000002.00000001.sdmp, svchost.exe, 00000026.00000002.1292412373.0000024EB8090000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Windows\SysWOW64\hyperlanes.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\Desktop\uIsv6VTOek.exeProcess information queried: ProcessInformation
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D12010 mov eax, dword ptr fs:[00000030h]
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D115E0 mov eax, dword ptr fs:[00000030h]
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D03790 GetProcessHeap,GetProcessHeap,RtlAllocateHeap,lstrcmp,GetProcessHeap,HeapFree,GetCurrentProcess,wsprintfA,GetCurrentProcessId,
              Source: C:\Users\user\Desktop\uIsv6VTOek.exeCode function: 0_2_0040110E GetMenuInfo,LocalReAlloc,InitializeCriticalSection,FreeUserPhysicalPages,GetLogicalProcessorInformation,GetLogicalProcessorInformation,UnregisterApplicationRecoveryCallback,CountClipboardFormats,GetSysColor,GetSystemMenu,ArrangeIconicWindows,GetCommProperties,GetCommProperties,SetSystemCursor,DdeImpersonateClient,IsZoomed,keybd_event,MonitorFromRect,CloseHandle,
              Source: svchost.exe, 0000000D.00000002.1291126240.00000167D6460000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: svchost.exe, 0000000D.00000002.1291126240.00000167D6460000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: svchost.exe, 0000000D.00000002.1291126240.00000167D6460000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: svchost.exe, 0000000D.00000002.1291126240.00000167D6460000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\uIsv6VTOek.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\hyperlanes.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Users\user\Desktop\uIsv6VTOek.exeCode function: 0_2_00401064 GetSystemTimeAsFileTime,GetMessagePos,GetScrollBarInfo,GetScrollBarInfo,GetHandleInformation,
              Source: C:\Windows\SysWOW64\hyperlanes.exeCode function: 6_2_00D1261F RtlGetVersion,GetNativeSystemInfo,
              Source: C:\Windows\SysWOW64\hyperlanes.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Changes security center settings (notifications, updates, antivirus, firewall)Show sources
              Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
              Source: svchost.exe, 00000012.00000002.1290234615.000001DD49640000.00000004.00000001.sdmpBinary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
              Source: svchost.exe, 00000012.00000002.1290326352.000001DD49702000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

              Stealing of Sensitive Information:

              barindex
              Yara detected EmotetShow sources
              Source: Yara matchFile source: 00000006.00000002.1291468406.0000000000D11000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.246701559.00000000005B1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.233356991.00000000005B1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.245530482.00000000005B1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 4.2.uIsv6VTOek.exe.5b0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.uIsv6VTOek.exe.5b0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.hyperlanes.exe.d10000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.hyperlanes.exe.5b0000.3.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
              Default AccountsService Execution12Valid Accounts1Valid Accounts1Software Packing1LSASS MemorySystem Service Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Windows Service12Access Token Manipulation1DLL Side-Loading1Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Windows Service12File Deletion1NTDSSystem Information Discovery25Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptProcess Injection2Masquerading121LSA SecretsSecurity Software Discovery51SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonValid Accounts1Cached Domain CredentialsVirtualization/Sandbox Evasion3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion3Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection2/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              uIsv6VTOek.exe97%ReversingLabsWin32.Trojan.Emotet
              uIsv6VTOek.exe100%AviraTR/Crypt.EPACK.Gen8
              uIsv6VTOek.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              4.0.uIsv6VTOek.exe.400000.0.unpack100%AviraTR/Crypt.EPACK.Gen8Download File
              6.1.hyperlanes.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              0.2.uIsv6VTOek.exe.400000.0.unpack100%AviraTR/Crypt.EPACK.Gen8Download File
              0.1.uIsv6VTOek.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              4.2.uIsv6VTOek.exe.5b0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              6.2.hyperlanes.exe.d00000.2.unpack100%AviraHEUR/AGEN.1110377Download File
              6.2.hyperlanes.exe.d10000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              0.2.uIsv6VTOek.exe.5b0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              5.2.hyperlanes.exe.5b0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              4.2.uIsv6VTOek.exe.5a0000.2.unpack100%AviraHEUR/AGEN.1110377Download File
              5.0.hyperlanes.exe.400000.0.unpack100%AviraTR/Crypt.EPACK.Gen8Download File
              6.2.hyperlanes.exe.400000.0.unpack100%AviraTR/Crypt.EPACK.Gen8Download File
              4.1.uIsv6VTOek.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              5.2.hyperlanes.exe.400000.0.unpack100%AviraTR/Crypt.EPACK.Gen8Download File
              4.2.uIsv6VTOek.exe.400000.0.unpack100%AviraTR/Crypt.EPACK.Gen8Download File
              5.2.hyperlanes.exe.5a0000.2.unpack100%AviraHEUR/AGEN.1110377Download File
              0.2.uIsv6VTOek.exe.5a0000.2.unpack100%AviraHEUR/AGEN.1110377Download File
              0.0.uIsv6VTOek.exe.400000.0.unpack100%AviraTR/Crypt.EPACK.Gen8Download File
              5.1.hyperlanes.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              6.0.hyperlanes.exe.400000.0.unpack100%AviraTR/Crypt.EPACK.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://78.47.182.42:8080/0%Avira URL Cloudsafe
              http://72.45.212.62:8080/c(0%Avira URL Cloudsafe
              http://189.236.94.20:995/m#0%Avira URL Cloudsafe
              http://Passport.NET/tbpose0%Avira URL Cloudsafe
              http://108.170.54.171:8080/8j#0%Avira URL Cloudsafe
              http://72.45.212.62:8080/-0%Avira URL Cloudsafe
              http://108.170.54.171:8080/103.94:8080/0%Avira URL Cloudsafe
              http://194.88.246.242:443/.177.28:8080/m0%Avira URL Cloudsafe
              http://47.188.131.94:443/0%Avira URL Cloudsafe
              http://164.160.161.118:8080/0%Avira URL Cloudsafe
              http://passport.net/tb0%Avira URL Cloudsafe
              http://108.170.54.171:8080/M0%Avira URL Cloudsafe
              https://%s.xboxlive.com0%URL Reputationsafe
              https://%s.xboxlive.com0%URL Reputationsafe
              https://%s.xboxlive.com0%URL Reputationsafe
              http://70.182.77.184:8090/0%Avira URL Cloudsafe
              http://108.170.54.171:8080/N0%Avira URL Cloudsafe
              http://194.88.246.242:443/;(0%Avira URL Cloudsafe
              http://121.50.43.110:8080/0%Avira URL Cloudsafe
              https://dynamic.t0%URL Reputationsafe
              https://dynamic.t0%URL Reputationsafe
              https://dynamic.t0%URL Reputationsafe
              http://76.72.225.30:465//0%Avira URL Cloudsafe
              http://206.210.104.194/A0%Avira URL Cloudsafe
              http://71.244.60.231:4143/0%Avira URL Cloudsafe
              http://23.239.2.11:808/0%Avira URL Cloudsafe
              http://108.170.54.171:8080/%0%Avira URL Cloudsafe
              http://70.182.77.184:8090/sw0%Avira URL Cloudsafe
              http://schemas.mi0%URL Reputationsafe
              http://schemas.mi0%URL Reputationsafe
              http://schemas.mi0%URL Reputationsafe
              http://70.184.125.132:8080/B0%Avira URL Cloudsafe
              http://194.88.246.242:443/0%Avira URL Cloudsafe
              http://184.180.177.28:8080/0%Avira URL Cloudsafe
              http://178.62.103.94:8080/0%Avira URL Cloudsafe
              http://164.160.161.118:8080/)Bo0%Avira URL Cloudsafe
              http://178.62.103.94:8080/I(s0%Avira URL Cloudsafe
              http://69.17.170.58/0%Avira URL Cloudsafe
              http://www.w3.o0%URL Reputationsafe
              http://www.w3.o0%URL Reputationsafe
              http://www.w3.o0%URL Reputationsafe
              http://76.72.225.30:465/0/u0%Avira URL Cloudsafe
              http://69.17.170.58/v0%Avira URL Cloudsafe
              http://70.182.77.184:8090/=#0%Avira URL Cloudsafe
              http://76.72.225.30:465/0%Avira URL Cloudsafe
              http://178.62.103.94:8080/60.231:4143/E0%Avira URL Cloudsafe
              http://69.17.170.58/E0%Avira URL Cloudsafe
              http://108.170.54.171:8080/0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdngsvchost.exe, 00000026.00000003.825689349.0000024EB832A000.00000004.00000001.sdmpfalse
                		high
                http://78.47.182.42:8080/hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000010.00000002.312477867.000002A77143E000.00000004.00000001.sdmpfalse
                  		high
                  https://corp.roblox.com/contact/svchost.exe, 00000023.00000003.578478684.0000020499F6C000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.578518826.0000020499F88000.00000004.00000001.sdmpfalse
                    		high
                    https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 00000010.00000002.312449752.000002A771424000.00000004.00000001.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2004/09/policyrsvchost.exe, 00000026.00000003.1148346365.0000024EB8381000.00000004.00000001.sdmpfalse
                        		high
                        http://72.45.212.62:8080/c(hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000010.00000003.311886865.000002A771460000.00000004.00000001.sdmpfalse
                          		high
                          http://189.236.94.20:995/m#hyperlanes.exe, 00000006.00000003.481688344.00000000007A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://account.live.com/Wizard/Password/Change?id=80601Rsvchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpfalse
                            		high
                            http://Passport.NET/tbposesvchost.exe, 00000026.00000003.1149031459.0000024EB8814000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://108.170.54.171:8080/8j#hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000010.00000003.311935000.000002A77144B000.00000004.00000001.sdmpfalse
                              		high
                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdp://ssvchost.exe, 00000026.00000003.823424802.0000024EB832C000.00000004.00000001.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpfalse
                                  		high
                                  https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000010.00000003.312062878.000002A771441000.00000004.00000001.sdmpfalse
                                    		high
                                    http://72.45.212.62:8080/-hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://108.170.54.171:8080/103.94:8080/hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdNsvchost.exe, 00000026.00000003.823424802.0000024EB832C000.00000004.00000001.sdmpfalse
                                      		high
                                      https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 00000010.00000003.311886865.000002A771460000.00000004.00000001.sdmpfalse
                                        		high
                                        https://en.help.roblox.com/hc/en-ussvchost.exe, 00000023.00000003.578478684.0000020499F6C000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.578518826.0000020499F88000.00000004.00000001.sdmpfalse
                                          		high
                                          https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 00000026.00000003.821431345.0000024EB8351000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.bingmapsportal.comsvchost.exe, 00000010.00000002.312434670.000002A771413000.00000004.00000001.sdmpfalse
                                              		high
                                              https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpfalse
                                                		high
                                                http://194.88.246.242:443/.177.28:8080/mhyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://47.188.131.94:443/hyperlanes.exe, 00000006.00000003.365988326.00000000007A1000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://164.160.161.118:8080/hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000010.00000003.312053370.000002A771445000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000010.00000002.312477867.000002A77143E000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://www.roblox.com/developsvchost.exe, 00000023.00000003.578478684.0000020499F6C000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.578518826.0000020499F88000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://account.live.com/msangcwamsvchost.exe, 00000026.00000003.821214824.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821469527.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://passport.net/tbsvchost.exe, 00000026.00000002.1291561550.0000024EB7A7E000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.1148397347.0000024EB8819000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://corp.roblox.com/parents/svchost.exe, 00000023.00000003.578478684.0000020499F6C000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.578518826.0000020499F88000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000010.00000002.312477867.000002A77143E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.312434670.000002A771413000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://108.170.54.171:8080/Mhyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://%s.xboxlive.comsvchost.exe, 0000000E.00000002.1290004272.000002997EE3E000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		low
                                                            https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://70.182.77.184:8090/hyperlanes.exe, 00000006.00000003.365988326.00000000007A1000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://108.170.54.171:8080/Nhyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdssvchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://account.live.com/inlinesignup.aspx?iww=1&id=80603Nsvchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdptedDsvchost.exe, 00000026.00000003.825689349.0000024EB832A000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://194.88.246.242:443/;(hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://121.50.43.110:8080/hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://dynamic.tsvchost.exe, 00000010.00000003.311901127.000002A77144D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.311935000.000002A77144B000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.312062878.000002A771441000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000010.00000003.311886865.000002A771460000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://76.72.225.30:465//hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.827937050.0000024EB7A8E000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://206.210.104.194/Ahyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdessvchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessuesvchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000010.00000002.312490057.000002A771447000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://71.244.60.231:4143/hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://23.239.2.11:808/hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000010.00000003.311935000.000002A77144B000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://108.170.54.171:8080/%hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://70.182.77.184:8090/swhyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://schemas.misvchost.exe, 00000026.00000003.1148330747.0000024EB8307000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000010.00000003.311886865.000002A771460000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000010.00000002.312477867.000002A77143E000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&id=80601y0svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://70.184.125.132:8080/Bhyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://194.88.246.242:443/hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000010.00000003.312062878.000002A771441000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionIDsvchost.exe, 00000026.00000003.827937050.0000024EB7A8E000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://184.180.177.28:8080/hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000010.00000003.311886865.000002A771460000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=svchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://178.62.103.94:8080/hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://164.160.161.118:8080/)Bohyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.g5e.com/G5_End_User_License_Supplemental_Termssvchost.exe, 00000023.00000003.569441527.000002049A402000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.569460119.0000020499F65000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.569472732.0000020499F54000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://178.62.103.94:8080/I(shyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://69.17.170.58/hyperlanes.exe, 00000006.00000003.365988326.00000000007A1000.00000004.00000001.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&id=80600;svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/schc=csvchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.w3.osvchost.exe, 00000026.00000003.826341450.0000024EB8358000.00000004.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 00000026.00000003.827937050.0000024EB7A8E000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://76.72.225.30:465/0/uhyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmldsisvchost.exe, 00000026.00000003.1148330747.0000024EB8307000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://signup.live.com/signup.aspxsvchost.exe, 00000026.00000003.821469527.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.1291184647.0000024EB7A3D000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000010.00000002.312477867.000002A77143E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://69.17.170.58/vhyperlanes.exe, 00000006.00000003.365988326.00000000007A1000.00000004.00000001.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://70.182.77.184:8090/=#hyperlanes.exe, 00000006.00000003.365988326.00000000007A1000.00000004.00000001.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000010.00000003.311886865.000002A771460000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://76.72.225.30:465/hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 00000026.00000002.1292902175.0000024EB8337000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://178.62.103.94:8080/60.231:4143/Ehyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://69.17.170.58/Ehyperlanes.exe, 00000006.00000003.365988326.00000000007A1000.00000004.00000001.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 00000026.00000003.821214824.0000024EB8329000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000010.00000003.289950405.000002A771430000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 00000026.00000003.821478832.0000024EB832C000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://108.170.54.171:8080/hyperlanes.exe, 00000006.00000002.1290780450.0000000000767000.00000004.00000020.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://instagram.com/hiddencity_svchost.exe, 00000023.00000003.569441527.000002049A402000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.569460119.0000020499F65000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.569472732.0000020499F54000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000010.00000003.312053370.000002A771445000.00000004.00000001.sdmpfalse
                                                                                                                                      		high

                                                                                                                                      Contacted IPs

                                                                                                                                      • No. of IPs < 25%
                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                      • 75% < No. of IPs

                                                                                                                                      Public

                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                      47.188.131.94
                                                                                                                                      		unknownUnited States
                                                                                                                                      		5650FRONTIER-FRTRUSfalse
                                                                                                                                      110.143.116.201
                                                                                                                                      		unknownAustralia
                                                                                                                                      		1221ASN-TELSTRATelstraCorporationLtdAUfalse
                                                                                                                                      76.72.225.30
                                                                                                                                      		unknownUnited States
                                                                                                                                      		53956TOWNES-BROADBANDUSfalse
                                                                                                                                      164.160.161.118
                                                                                                                                      		unknownUganda
                                                                                                                                      		327717SureTelecom-UG-ASUGfalse
                                                                                                                                      78.47.182.42
                                                                                                                                      		unknownGermany
                                                                                                                                      		24940HETZNER-ASDEfalse
                                                                                                                                      69.17.170.58
                                                                                                                                      		unknownCanada
                                                                                                                                      		812ROGERS-COMMUNICATIONSCAfalse
                                                                                                                                      189.236.94.20
                                                                                                                                      		unknownMexico
                                                                                                                                      		8151UninetSAdeCVMXfalse
                                                                                                                                      70.182.77.184
                                                                                                                                      		unknownUnited States
                                                                                                                                      		22773ASN-CXA-ALL-CCI-22773-RDCUSfalse
                                                                                                                                      71.244.60.231
                                                                                                                                      		unknownUnited States
                                                                                                                                      		5650FRONTIER-FRTRUSfalse
                                                                                                                                      177.99.167.185
                                                                                                                                      		unknownBrazil
                                                                                                                                      		18881TELEFONICABRASILSABRfalse
                                                                                                                                      194.88.246.242
                                                                                                                                      		unknownFrance
                                                                                                                                      		34177CELESTE-ASCELESTE-InternetservicesproviderFRfalse
                                                                                                                                      23.239.2.11
                                                                                                                                      		unknownUnited States
                                                                                                                                      		63949LINODE-APLinodeLLCUSfalse
                                                                                                                                      184.180.177.28
                                                                                                                                      		unknownUnited States
                                                                                                                                      		22773ASN-CXA-ALL-CCI-22773-RDCUSfalse
                                                                                                                                      206.210.104.194
                                                                                                                                      		unknownCanada
                                                                                                                                      		33130IASLCAfalse
                                                                                                                                      178.62.103.94
                                                                                                                                      		unknownEuropean Union
                                                                                                                                      		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                                      24.217.117.217
                                                                                                                                      		unknownUnited States
                                                                                                                                      		20115CHARTER-20115USfalse
                                                                                                                                      72.45.212.62
                                                                                                                                      		unknownUnited States
                                                                                                                                      		11351TWC-11351-NORTHEASTUSfalse
                                                                                                                                      121.50.43.110
                                                                                                                                      		unknownJapan63997TSUKAERUNETTsukaerunetWebHostingCompanyJapanJPfalse
                                                                                                                                      66.76.26.33
                                                                                                                                      		unknownUnited States
                                                                                                                                      		19108SUDDENLINK-COMMUNICATIONSUSfalse
                                                                                                                                      46.4.100.178
                                                                                                                                      		unknownGermany
                                                                                                                                      		24940HETZNER-ASDEfalse
                                                                                                                                      70.184.125.132
                                                                                                                                      		unknownUnited States
                                                                                                                                      		22773ASN-CXA-ALL-CCI-22773-RDCUSfalse

                                                                                                                                      Private

                                                                                                                                      IP
                                                                                                                                      192.168.2.1
                                                                                                                                      127.0.0.1

                                                                                                                                      General Information

                                                                                                                                      Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                      Analysis ID:405975
                                                                                                                                      Start date:06.05.2021
                                                                                                                                      Start time:15:30:54
                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                      Overall analysis duration:0h 14m 57s
                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                      Report type:light
                                                                                                                                      Sample file name:uIsv6VTOek (renamed file extension from none to exe)
                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                      Number of analysed new started processes analysed:40
                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                      Technologies:
                                                                                                                                      • HCA enabled
                                                                                                                                      • EGA enabled
                                                                                                                                      • HDC enabled
                                                                                                                                      • AMSI enabled
                                                                                                                                      Analysis Mode:default
                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                      Detection:MAL
                                                                                                                                      Classification:mal88.troj.evad.winEXE@22/9@0/23
                                                                                                                                      EGA Information:
                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                      HDC Information:
                                                                                                                                      • Successful, ratio: 51.9% (good quality ratio 41.6%)
                                                                                                                                      • Quality average: 67.5%
                                                                                                                                      • Quality standard deviation: 38.7%
                                                                                                                                      HCA Information:
                                                                                                                                      • Successful, ratio: 69%
                                                                                                                                      • Number of executed functions: 0
                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                      Cookbook Comments:
                                                                                                                                      • Adjust boot time
                                                                                                                                      • Enable AMSI
                                                                                                                                      Warnings:
                                                                                                                                      Show All
                                                                                                                                      • Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                                                                      • Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.42.151.234, 92.122.145.220, 168.61.161.212, 13.64.90.137, 40.88.32.150, 184.30.24.56, 20.82.210.154, 8.238.85.254, 8.241.90.126, 8.238.29.126, 8.241.82.126, 8.238.27.126, 92.122.213.247, 92.122.213.194, 20.54.26.129, 20.82.209.183, 52.155.217.156, 20.190.160.132, 20.190.160.75, 20.190.160.134, 20.190.160.73, 20.190.160.71, 20.190.160.6, 20.190.160.2, 20.190.160.4, 51.104.136.2, 20.49.150.241, 40.126.31.6, 40.126.31.4, 40.126.31.139, 20.190.159.134, 20.190.159.138, 40.126.31.8, 20.190.159.132, 40.126.31.135
                                                                                                                                      • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, www.tm.a.prd.aadg.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, ams2.current.a.prd.aadg.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/405975/sample/uIsv6VTOek.exe

                                                                                                                                      Simulations

                                                                                                                                      Behavior and APIs

                                                                                                                                      TimeTypeDescription
                                                                                                                                      15:32:09API Interceptor13x Sleep call for process: svchost.exe modified
                                                                                                                                      15:33:26API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                      IPs

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      47.188.131.94http://www.bilginerotoekspertiz.com/DOC/Order-35988251857/Get hashmaliciousBrowse
                                                                                                                                      • 47.188.131.94:443/
                                                                                                                                      547815.exeGet hashmaliciousBrowse
                                                                                                                                      • 47.188.131.94:443/
                                                                                                                                      110.143.116.201EMOTET.EXEGet hashmaliciousBrowse
                                                                                                                                      • 110.143.116.201/
                                                                                                                                      69.17.170.58RFG-INV-44654524697988.docGet hashmaliciousBrowse
                                                                                                                                      • 69.17.170.58/
                                                                                                                                      Invoice-0159595.docGet hashmaliciousBrowse
                                                                                                                                      • 69.17.170.58/
                                                                                                                                      Invoice-0159595.docGet hashmaliciousBrowse
                                                                                                                                      • 69.17.170.58/
                                                                                                                                      Emotet.docGet hashmaliciousBrowse
                                                                                                                                      • 69.17.170.58/
                                                                                                                                      Zahlungserinnerung-vom-Juni.docGet hashmaliciousBrowse
                                                                                                                                      • 69.17.170.58/
                                                                                                                                      Rechnung-fur-Zahlung-080-438.docGet hashmaliciousBrowse
                                                                                                                                      • 69.17.170.58/

                                                                                                                                      Domains

                                                                                                                                      No context

                                                                                                                                      ASN

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      HETZNER-ASDE43b5d336_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      FileZilla_3.53.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                                                                                                                      • 49.12.121.47
                                                                                                                                      c46bd0ae_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      01dfc6c9_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      8007ff84_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      fd1dbef7_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      903930a7_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      zd1uT5UZFn1.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      80f0e076_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      5af88031_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      db8e6a08_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                      • 95.216.186.40
                                                                                                                                      d4812def_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      viruss.xlsbGet hashmaliciousBrowse
                                                                                                                                      • 95.216.186.40
                                                                                                                                      afbb944a_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      file.msg.exeGet hashmaliciousBrowse
                                                                                                                                      • 138.201.223.6
                                                                                                                                      e24a2e43_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      4ee2bc17_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      6de01617_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      a7813732_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      c8752ee0_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                      • 188.40.137.206
                                                                                                                                      ASN-TELSTRATelstraCorporationLtdAU9cf2c56e_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                      • 101.187.197.33
                                                                                                                                      KnAY2OIPI3Get hashmaliciousBrowse
                                                                                                                                      • 1.151.13.11
                                                                                                                                      x86_unpackedGet hashmaliciousBrowse
                                                                                                                                      • 1.153.223.118
                                                                                                                                      ppc_unpackedGet hashmaliciousBrowse
                                                                                                                                      • 1.126.33.34
                                                                                                                                      rIbyGX66OpGet hashmaliciousBrowse
                                                                                                                                      • 203.49.228.158
                                                                                                                                      MGuvcs6OczGet hashmaliciousBrowse
                                                                                                                                      • 139.130.197.234
                                                                                                                                      4JQil8gLKdGet hashmaliciousBrowse
                                                                                                                                      • 124.177.182.198
                                                                                                                                      z3hir.x86Get hashmaliciousBrowse
                                                                                                                                      • 1.150.156.5
                                                                                                                                      v8iFmF7XPp.dllGet hashmaliciousBrowse
                                                                                                                                      • 110.145.101.66
                                                                                                                                      2ojdmC51As.exeGet hashmaliciousBrowse
                                                                                                                                      • 110.142.236.207
                                                                                                                                      3kDM9S0iGA.exeGet hashmaliciousBrowse
                                                                                                                                      • 124.182.146.41
                                                                                                                                      networkmanagerGet hashmaliciousBrowse
                                                                                                                                      • 203.46.154.161
                                                                                                                                      IU-8549 Medical report COVID-19.docGet hashmaliciousBrowse
                                                                                                                                      • 110.142.236.207
                                                                                                                                      kF1JPCXvSq.dllGet hashmaliciousBrowse
                                                                                                                                      • 144.139.47.206
                                                                                                                                      oHqMFmPndx.exeGet hashmaliciousBrowse
                                                                                                                                      • 101.184.48.99
                                                                                                                                      utox.exeGet hashmaliciousBrowse
                                                                                                                                      • 1.132.105.157
                                                                                                                                      SecuriteInfo.com.Trojan.BtcMine.3311.17146.exeGet hashmaliciousBrowse
                                                                                                                                      • 101.187.176.67
                                                                                                                                      e5ad48f310b56ceb013a30be125d967e.exeGet hashmaliciousBrowse
                                                                                                                                      • 139.130.242.43
                                                                                                                                      fIk5kbvEeK.exeGet hashmaliciousBrowse
                                                                                                                                      • 139.130.242.43
                                                                                                                                      xESLg6TBHK.exeGet hashmaliciousBrowse
                                                                                                                                      • 139.130.242.43
                                                                                                                                      FRONTIER-FRTRUS9cf2c56e_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                      • 47.148.241.179
                                                                                                                                      nT7K5GG5kmGet hashmaliciousBrowse
                                                                                                                                      • 72.87.194.121
                                                                                                                                      KnAY2OIPI3Get hashmaliciousBrowse
                                                                                                                                      • 96.254.228.27
                                                                                                                                      JRyLnlTR1OGet hashmaliciousBrowse
                                                                                                                                      • 47.207.20.144
                                                                                                                                      v8iFmF7XPp.dllGet hashmaliciousBrowse
                                                                                                                                      • 47.144.21.37
                                                                                                                                      YPJ9DZYIpOGet hashmaliciousBrowse
                                                                                                                                      • 47.206.88.151
                                                                                                                                      sample.exe.exeGet hashmaliciousBrowse
                                                                                                                                      • 71.244.60.231
                                                                                                                                      yxghUyIGb4.exeGet hashmaliciousBrowse
                                                                                                                                      • 71.244.60.231
                                                                                                                                      PDFXCview.exeGet hashmaliciousBrowse
                                                                                                                                      • 50.45.114.178
                                                                                                                                      #Ud83d#Udd04bvoneida- empirix.com iPhone 8 104 OKeep.htmGet hashmaliciousBrowse
                                                                                                                                      • 184.24.29.126
                                                                                                                                      kF1JPCXvSq.dllGet hashmaliciousBrowse
                                                                                                                                      • 47.146.169.85
                                                                                                                                      bin.shGet hashmaliciousBrowse
                                                                                                                                      • 172.95.177.246
                                                                                                                                      oHqMFmPndx.exeGet hashmaliciousBrowse
                                                                                                                                      • 50.121.246.26
                                                                                                                                      NormhjTcQb.exeGet hashmaliciousBrowse
                                                                                                                                      • 47.148.117.234
                                                                                                                                      Astra.x86Get hashmaliciousBrowse
                                                                                                                                      • 50.123.44.24
                                                                                                                                      4F58TLaSSt.exeGet hashmaliciousBrowse
                                                                                                                                      • 184.24.28.12
                                                                                                                                      8uOajLllk2.exeGet hashmaliciousBrowse
                                                                                                                                      • 47.146.32.175
                                                                                                                                      s4dz16MUhV.exeGet hashmaliciousBrowse
                                                                                                                                      • 47.146.117.214
                                                                                                                                      IKp3ziFZtQ.exeGet hashmaliciousBrowse
                                                                                                                                      • 47.146.32.175
                                                                                                                                      NCqZWgrjZ7.exeGet hashmaliciousBrowse
                                                                                                                                      • 47.146.32.175

                                                                                                                                      JA3 Fingerprints

                                                                                                                                      No context

                                                                                                                                      Dropped Files

                                                                                                                                      No context

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.chk
                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):24576
                                                                                                                                      Entropy (8bit):0.36205444996716485
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:UtcctcMtcctcMtcctcMtcctcQtcctc0tcctc:UtTtDtTtDtTtDtTtTtTtbtTt
                                                                                                                                      MD5:353C0E84A6C573D30B15481706263B9A
                                                                                                                                      SHA1:4DCBF5ED97F1251EEF6E0747906368AB5639D0FA
                                                                                                                                      SHA-256:4412C6044B8C975D5BAB1F0E173339AE2A091A3B4D2DFBF771F1E9B854EF1751
                                                                                                                                      SHA-512:210B6E533923CF5F3FE255C39E1B2D243F675D2C022FA613E3ABD680FB552A2FD9079BF1699C91A5033AED47E29EE0191CF6E307429554A3128D2C009E047AFD
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .............'..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................).............................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):16384
                                                                                                                                      Entropy (8bit):0.2407788896284114
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:0GlGaD0JcaaD0JwQQcFAg/0bjSQJT/4fsw/u1i/psw/u1i/:0GrgJctgJwE2rjSuTQfMYM
                                                                                                                                      MD5:59F29336D8CCDDB572055250699C7612
                                                                                                                                      SHA1:143F81BF34DA2DB957B08617121D228A24C035D2
                                                                                                                                      SHA-256:24D8E0D438DE0F84F38B40B8A10122B53DD03F3045A8623D09778B1AD74E763F
                                                                                                                                      SHA-512:6BE72B3CBF17EE77C9398A4CCFFFA7CB38E9023F1CEDF574531504377732209A98C8B8205460A46BA9F0BC9E9812CBFC63C59C96BCF099419BFDA17057AB3541
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ......:{..(...... ...y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................... ...y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x9c40291d, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):131072
                                                                                                                                      Entropy (8bit):0.09680244578901817
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:Botplx+1otplx+Woo+Woo+dPorL+dPorL+W1V1:U/vv3L3LbT
                                                                                                                                      MD5:46FB2F4EE273F10F4AA9BADBCAF8404F
                                                                                                                                      SHA1:4B2E3156300C476B026B757605CE1FD617EC07DD
                                                                                                                                      SHA-256:BE7C68A545D9A5FFE77295F090AD6F0B02499752C9E263818AE0C0E63FD876BC
                                                                                                                                      SHA-512:C774FE3988C205DCE428E6E2357BA5AABF80EF82DECA7745F82035E282B81F16690A51A3357960CFDC42817266A55ADC6F4AF257DEE9C1D4B01694A9F6BE89A0
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .@).... ................e.f.3...w........................&..........w... ...y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................]... ...y.k.................y~.. ...y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                      File Type:SysEx File - SIEL
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):32768
                                                                                                                                      Entropy (8bit):0.11527357190504775
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:B/isS4MAt4fAzjGeDsS4MAPHQ+AFktKufktKFGxPXsS4MAtcxKwgtKuXbFGo9ZrQ:w8t4Y+084Diz82YPN8tZzJbqnzl8
                                                                                                                                      MD5:D6FC88F453AC93BEA35CDCE51D2A23FE
                                                                                                                                      SHA1:DE1372E1230912E563952F699AD65C8F1BB07EAF
                                                                                                                                      SHA-256:298D2A34DEF3F485107F758A34E1A8EA1B37CF6F219C2F028A024AA4D26F0A16
                                                                                                                                      SHA-512:42D18ECF68F3D74E9C42BDC1020C0862A7668EF2956F46A60C1B29867D484FA847597F8B3C7E107226FEC161744A9B76F78B522C2BC0FA7B287776E5F5F61611
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: .!.f.....................................3...w... ...y.......w...............w.......w....:O.....w...................y~.. ...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):65536
                                                                                                                                      Entropy (8bit):0.10972430036902728
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:26ZVXm/Ey6q9995UPNAlq3qQ10nMCldimE8eawHjchvd:26Z4l68CPBLyMCldzE9BHjchvd
                                                                                                                                      MD5:AB02BDAFBDD1AF497A3C7517EAA4D6C0
                                                                                                                                      SHA1:4501975BA9B4AA490A8F524D8B79B79E3D62E42E
                                                                                                                                      SHA-256:8EAA28439AF197B63F219FCF0701876A80DFD45D9C3606407BFC74B1EE0DD232
                                                                                                                                      SHA-512:C18359193860ED77E5C36FF146871972109CB6526994DBEB77462B93760B24E64DEC8F98DEDA59752493A6B1F8DC6A6F92A2BCF955DA13D69BE1B54CC9AA7381
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ................................................................................t.......:.!......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................M...1..... ......N..B..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.t.........!.....................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):65536
                                                                                                                                      Entropy (8bit):0.1123908352906178
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:cllzXm/Ey6q9995UPN4z1miM3qQ10nMCldimE8eawHza1miIu:Uwl68CPO1tMLyMCldzE9BHza1tIu
                                                                                                                                      MD5:335B52834DE3F6A97A92E6574E91EF0F
                                                                                                                                      SHA1:45471CA804AC819E13C84769CD1512A188DAC4D8
                                                                                                                                      SHA-256:03A3AB47E6C45C566856ABC663EFD7184B17D774F6CC47A6858CD4B5415F1576
                                                                                                                                      SHA-512:C0C8FBECE83F271D10B3D217446F3363A869BF773ABE2C67138CD38012BD35BA8BC01518AC569705F7BB14A4B173A4B1BD194B9820D9260F43BD016CBFEF3B45
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ................................................................................t.......CP ......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................M...1..... ......)..B..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.t........Y .....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):65536
                                                                                                                                      Entropy (8bit):0.11220629493205327
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:vFXm/Ey6q9995UPNM0z1mK2P3qQ10nMCldimE8eawHza1mKWn:Ql68CPb1iPLyMCldzE9BHza1Q
                                                                                                                                      MD5:2F98EEBBA7D8F12F08260881A89A76A1
                                                                                                                                      SHA1:525A7FE2D38794BFB7F405681458F80DC398F4BF
                                                                                                                                      SHA-256:BF1D755170FB80D875AD407EDDE97A362D30F62370DE27371A20B9F38EE47856
                                                                                                                                      SHA-512:E96188104FBEEADACEAAFECE62A69B872F19F6FDF813F9793DD5844EECD659F08208789E412469B72AAD16074FF9B87DAD9C6FF9BED7986AF9BC00B27236399C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ................................................................................t................................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................M...1..... .........B..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.t.......L.......................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):55
                                                                                                                                      Entropy (8bit):4.306461250274409
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                                                      Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):906
                                                                                                                                      Entropy (8bit):3.161054860519664
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:58KRBubdpkoF1AG3rXxk9+MlWlLehB4yAq7ejCSQ:OaqdmuF3rG+kWReH4yJ7M4
                                                                                                                                      MD5:92028ECC4C8EAA2B257E7376C94A3D33
                                                                                                                                      SHA1:19A4A84D023301E8786F1092F04D0CD8AA5C7EB3
                                                                                                                                      SHA-256:5BFDE5226D832276F0DAD46A5D7963580A84C5370B0720C396CB844EFA43AB19
                                                                                                                                      SHA-512:B1984487375F80E340964733C1BD32F7B6874D94F47D51DD7C77B10FF837A832FC0D99C3F92E00C59B59411368DB40DAC49F442D0BE30451BEC3F2A985246E43
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. M.a.y. .. 0.6. .. 2.0.2.1. .1.5.:.3.3.:.2.6.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. M.a.y. .. 0.6. .. 2.0.2.1. .1.5.:.3.3.:.2.6.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Entropy (8bit):6.86734896093207
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                      File name:uIsv6VTOek.exe
                                                                                                                                      File size:126976
                                                                                                                                      MD5:3ee16bbc971bceb22c5ea3b79f8f711d
                                                                                                                                      SHA1:f20112dd192c7ec6fbf1a3772769c833f60433b7
                                                                                                                                      SHA256:982a1c7af717a51a2b5a661b7e4d0e0d63565e80e9a74e76b33fe416076ee86b
                                                                                                                                      SHA512:b76b9408f50f34793a4b610dbaa19127f2f73238f717570057d1dc732800cb1707e1e8c9c82ccdf0287ece783108804dd7f7cbfa9ea7e9f560f198c57e5bc320
                                                                                                                                      SSDEEP:3072:VITbjGFrTPdoAfkIIxphNq7PfyEPpUWDzX:iTbid5IfPGPf
                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..({..{{..{{..{r.G{j..{{..{f..{{..{z..{v..{z..{v..{z..{Rich{..{........PE..L.....+[.................`........................@

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:00828e8e8686b000

                                                                                                                                      Static PE Info

                                                                                                                                      General

                                                                                                                                      Entrypoint:0x4014d1
                                                                                                                                      Entrypoint Section:.text
                                                                                                                                      Digitally signed:false
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows gui
                                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                                                                      Time Stamp:0x5B2BFACA [Thu Jun 21 19:21:46 2018 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:
                                                                                                                                      OS Version Major:5
                                                                                                                                      OS Version Minor:0
                                                                                                                                      File Version Major:5
                                                                                                                                      File Version Minor:0
                                                                                                                                      Subsystem Version Major:5
                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                      Import Hash:edb14a960a2b14879d5a7c17f2162ccc

                                                                                                                                      Entrypoint Preview

                                                                                                                                      Instruction
                                                                                                                                      push ebp
                                                                                                                                      push ebx
                                                                                                                                      mov eax, 00000056h
                                                                                                                                      lea ecx, dword ptr [00415B22h]
                                                                                                                                      mov dword ptr [ecx+eax], esi
                                                                                                                                      mov eax, 001F56BEh
                                                                                                                                      mov ecx, dword ptr [esp+04h]
                                                                                                                                      lea edx, dword ptr [002204C6h]
                                                                                                                                      mov dword ptr [edx+eax], ecx
                                                                                                                                      mov ecx, esp
                                                                                                                                      inc ecx
                                                                                                                                      xchg eax, ecx
                                                                                                                                      inc eax
                                                                                                                                      lea edx, dword ptr [0040F7D5h]
                                                                                                                                      add eax, 07h
                                                                                                                                      xor ecx, ecx
                                                                                                                                      add ecx, 000063B3h
                                                                                                                                      dec eax
                                                                                                                                      mov dword ptr [edx+ecx], eax
                                                                                                                                      lea edx, dword ptr [00415B7Ch]
                                                                                                                                      mov dword ptr [edx], edi
                                                                                                                                      lea edx, dword ptr [00415B7Eh]
                                                                                                                                      inc edx
                                                                                                                                      pop ecx
                                                                                                                                      inc edx
                                                                                                                                      mov dword ptr [edx], ecx
                                                                                                                                      pop eax
                                                                                                                                      call 00007F0344B09323h
                                                                                                                                      test eax, eax
                                                                                                                                      call 00007F0344B093C6h
                                                                                                                                      mov eax, 00000001h
                                                                                                                                      ret
                                                                                                                                      mov dword ptr [ebp-04h], eax
                                                                                                                                      int3
                                                                                                                                      push ebp
                                                                                                                                      mov ebp, esp
                                                                                                                                      push esi
                                                                                                                                      and esp, FFFFFFF8h
                                                                                                                                      sub esp, 28h
                                                                                                                                      mov eax, dword ptr [ebp+08h]
                                                                                                                                      mov dword ptr [esp+14h], 44134E68h
                                                                                                                                      mov ecx, dword ptr [esp+18h]
                                                                                                                                      mov edx, dword ptr [esp+1Ch]
                                                                                                                                      mov esi, 01E48E3Ch
                                                                                                                                      mov dword ptr [esp+0Ch], eax
                                                                                                                                      mov eax, ecx
                                                                                                                                      mov dword ptr [esp+08h], edx
                                                                                                                                      mul esi
                                                                                                                                      mov ecx, dword ptr [esp+08h]
                                                                                                                                      imul ecx, ecx, 01E48E3Ch
                                                                                                                                      add edx, ecx
                                                                                                                                      mov dword ptr [esp+18h], eax
                                                                                                                                      mov dword ptr [esp+1Ch], edx
                                                                                                                                      mov dword ptr [esp+10h], 1BBA1F5Bh
                                                                                                                                      mov eax, dword ptr [esp+10h]
                                                                                                                                      mov ecx, dword ptr [esp+14h]
                                                                                                                                      mov edx, dword ptr [esp+0Ch]
                                                                                                                                      mov esi, dword ptr [edx+3Ch]
                                                                                                                                      xor ecx, 68E6DF45h
                                                                                                                                      cmp eax, ecx

                                                                                                                                      Rich Headers

                                                                                                                                      Programming Language:
                                                                                                                                      • [RES] VS2013 build 21005
                                                                                                                                      • [LNK] VS2013 build 21005
                                                                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                                                                      Data Directories

                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x4fec0xa0.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x170000x8bf8.pdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x40
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x40a00x38.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x40000x94.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                      Sections

                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x10000x228c0x3000False0.456787109375data5.14396711885IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rdata0x40000x13d20x2000False0.155639648438data4.41665254462IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .data0x60000x10b8c0x10000False0.882965087891data7.87710670899IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                      .pdata0x170000x8bf80x9000False0.331814236111data5.02661516801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                      Resources

                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                      RT_BITMAP0x177900x2028dataFrenchFrance
                                                                                                                                      RT_BITMAP0x197b80x33d0dataFrenchFrance
                                                                                                                                      RT_BITMAP0x1cb880xb8dataEnglishUnited States
                                                                                                                                      RT_BITMAP0x1cc400x144dataEnglishUnited States
                                                                                                                                      RT_MENU0x1cd880x19adataEnglishUnited States
                                                                                                                                      RT_DIALOG0x1cf280x1f2dataEnglishUnited States
                                                                                                                                      RT_DIALOG0x1d1200x286dataFrenchFrance
                                                                                                                                      RT_DIALOG0x1d3a80xe8dataEnglishUnited States
                                                                                                                                      RT_DIALOG0x1d4900x34dataEnglishUnited States
                                                                                                                                      RT_STRING0x1d4c80xe0dataEnglishUnited States
                                                                                                                                      RT_STRING0x1d5a80x46dataEnglishUnited States
                                                                                                                                      RT_STRING0x1d5f00x3cdataEnglishUnited States
                                                                                                                                      RT_STRING0x1d6300x166dataEnglishUnited States
                                                                                                                                      RT_STRING0x1d7980x260dataEnglishUnited States
                                                                                                                                      RT_STRING0x1d9f80x328dataEnglishUnited States
                                                                                                                                      RT_STRING0x1dd200x70dataEnglishUnited States
                                                                                                                                      RT_STRING0x1dd900x106dataEnglishUnited States
                                                                                                                                      RT_STRING0x1de980xdadataEnglishUnited States
                                                                                                                                      RT_STRING0x1df780x46dataEnglishUnited States
                                                                                                                                      RT_STRING0x1dfc00x78dataEnglishUnited States
                                                                                                                                      RT_STRING0x1e0380x1f8dataEnglishUnited States
                                                                                                                                      RT_STRING0x1e2300x86dataEnglishUnited States
                                                                                                                                      RT_STRING0x1e2b80x82dataEnglishUnited States
                                                                                                                                      RT_STRING0x1e3400x2adataEnglishUnited States
                                                                                                                                      RT_STRING0x1e3700x184dataEnglishUnited States
                                                                                                                                      RT_STRING0x1e4f80x4e6dataEnglishUnited States
                                                                                                                                      RT_STRING0x1e9e00x264dataEnglishUnited States
                                                                                                                                      RT_STRING0x1ec480x2dadataEnglishUnited States
                                                                                                                                      RT_STRING0x1ef280x8adataEnglishUnited States
                                                                                                                                      RT_STRING0x1efb80xacdataEnglishUnited States
                                                                                                                                      RT_STRING0x1f0680xdedataEnglishUnited States
                                                                                                                                      RT_STRING0x1f1480x4a8dataEnglishUnited States
                                                                                                                                      RT_STRING0x1f5f00x228dataEnglishUnited States
                                                                                                                                      RT_STRING0x1f8180x2cdataEnglishUnited States
                                                                                                                                      RT_STRING0x1f8480x42dataEnglishUnited States
                                                                                                                                      RT_ACCELERATOR0x1f8900x68dataEnglishUnited States
                                                                                                                                      RT_VERSION0x1f8f80x300dataEnglishUnited States

                                                                                                                                      Imports

                                                                                                                                      DLLImport
                                                                                                                                      ole32.dllCreateBindCtx
                                                                                                                                      ADVAPI32.dllGetPrivateObjectSecurity, AdjustTokenPrivileges, ReadEventLogA
                                                                                                                                      MPRAPI.dllMprInfoBlockRemove
                                                                                                                                      USER32.dllkeybd_event, MonitorFromRect, DdeImpersonateClient, ArrangeIconicWindows, GetSystemMenu, GetSysColor, CountClipboardFormats, GetMenuInfo, GetScrollBarInfo, GetMessagePos, CharNextA, SetSystemCursor, IsZoomed
                                                                                                                                      KERNEL32.dllQueueUserWorkItem, CloseHandle, GetSystemTimeAsFileTime, GetHandleInformation, GetCommProperties, UnregisterApplicationRecoveryCallback, GetLogicalProcessorInformation, FreeUserPhysicalPages, InitializeCriticalSection, LocalReAlloc
                                                                                                                                      SHLWAPI.dllUrlUnescapeW
                                                                                                                                      msvcrt.dllfsetpos

                                                                                                                                      Version Infos

                                                                                                                                      DescriptionData
                                                                                                                                      LegalCopyright(c)2008-2018 CPUID. All rights reserved.
                                                                                                                                      InternalNameHWMonitor.exe
                                                                                                                                      FileVersion1, 3, 5, 0
                                                                                                                                      CompanyNameCPUID
                                                                                                                                      ProductNameCPUID Hardware Monitor
                                                                                                                                      ProductVersion1, 3, 5, 0
                                                                                                                                      FileDescriptionHWMonitor
                                                                                                                                      OriginalFilenameHWMonitor.exe
                                                                                                                                      Translation0x0409 0x04e4

                                                                                                                                      Possible Origin

                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                      FrenchFrance
                                                                                                                                      EnglishUnited States

                                                                                                                                      Network Behavior

                                                                                                                                      Snort IDS Alerts

                                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                      05/06/21-15:33:57.561381ICMP399ICMP Destination Unreachable Host Unreachable173.219.152.57192.168.2.3
                                                                                                                                      05/06/21-15:37:49.216521ICMP399ICMP Destination Unreachable Host Unreachable83.118.200.66192.168.2.3
                                                                                                                                      05/06/21-15:37:52.735997ICMP399ICMP Destination Unreachable Host Unreachable83.118.200.66192.168.2.3
                                                                                                                                      05/06/21-15:37:59.536302ICMP399ICMP Destination Unreachable Host Unreachable83.118.200.66192.168.2.3
                                                                                                                                      05/06/21-15:39:10.098463ICMP449ICMP Time-To-Live Exceeded in Transit67.223.195.94192.168.2.3
                                                                                                                                      05/06/21-15:39:13.098340ICMP449ICMP Time-To-Live Exceeded in Transit67.223.195.94192.168.2.3
                                                                                                                                      05/06/21-15:39:19.099356ICMP449ICMP Time-To-Live Exceeded in Transit67.223.195.94192.168.2.3

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      May 6, 2021 15:32:06.226484060 CEST497138090192.168.2.370.182.77.184
                                                                                                                                      May 6, 2021 15:32:09.381048918 CEST497138090192.168.2.370.182.77.184
                                                                                                                                      May 6, 2021 15:32:15.381580114 CEST497138090192.168.2.370.182.77.184
                                                                                                                                      May 6, 2021 15:32:30.353677988 CEST4972480192.168.2.369.17.170.58
                                                                                                                                      May 6, 2021 15:32:33.390436888 CEST4972480192.168.2.369.17.170.58
                                                                                                                                      May 6, 2021 15:32:39.399202108 CEST4972480192.168.2.369.17.170.58
                                                                                                                                      May 6, 2021 15:33:00.394772053 CEST49731443192.168.2.347.188.131.94
                                                                                                                                      May 6, 2021 15:33:03.401187897 CEST49731443192.168.2.347.188.131.94
                                                                                                                                      May 6, 2021 15:33:09.401762009 CEST49731443192.168.2.347.188.131.94
                                                                                                                                      May 6, 2021 15:33:24.382530928 CEST49737995192.168.2.3189.236.94.20
                                                                                                                                      May 6, 2021 15:33:27.387609005 CEST49737995192.168.2.3189.236.94.20
                                                                                                                                      May 6, 2021 15:33:33.388103962 CEST49737995192.168.2.3189.236.94.20
                                                                                                                                      May 6, 2021 15:33:54.378822088 CEST497408080192.168.2.366.76.26.33
                                                                                                                                      May 6, 2021 15:33:57.390093088 CEST497408080192.168.2.366.76.26.33
                                                                                                                                      May 6, 2021 15:34:03.390820980 CEST497408080192.168.2.366.76.26.33
                                                                                                                                      May 6, 2021 15:34:18.375349045 CEST4974180192.168.2.324.217.117.217
                                                                                                                                      May 6, 2021 15:34:21.376645088 CEST4974180192.168.2.324.217.117.217
                                                                                                                                      May 6, 2021 15:34:27.377099037 CEST4974180192.168.2.324.217.117.217
                                                                                                                                      May 6, 2021 15:34:48.341793060 CEST4975280192.168.2.3110.143.116.201
                                                                                                                                      May 6, 2021 15:34:51.343286037 CEST4975280192.168.2.3110.143.116.201
                                                                                                                                      May 6, 2021 15:34:57.359481096 CEST4975280192.168.2.3110.143.116.201
                                                                                                                                      May 6, 2021 15:35:12.282279968 CEST497538080192.168.2.346.4.100.178
                                                                                                                                      May 6, 2021 15:35:12.355421066 CEST80804975346.4.100.178192.168.2.3
                                                                                                                                      May 6, 2021 15:35:12.860743999 CEST497538080192.168.2.346.4.100.178
                                                                                                                                      May 6, 2021 15:35:12.933458090 CEST80804975346.4.100.178192.168.2.3
                                                                                                                                      May 6, 2021 15:35:13.438909054 CEST497538080192.168.2.346.4.100.178
                                                                                                                                      May 6, 2021 15:35:13.512145042 CEST80804975346.4.100.178192.168.2.3
                                                                                                                                      May 6, 2021 15:35:20.568487883 CEST497548080192.168.2.323.239.2.11
                                                                                                                                      May 6, 2021 15:35:20.767519951 CEST80804975423.239.2.11192.168.2.3
                                                                                                                                      May 6, 2021 15:35:21.283335924 CEST497548080192.168.2.323.239.2.11
                                                                                                                                      May 6, 2021 15:35:21.482458115 CEST80804975423.239.2.11192.168.2.3
                                                                                                                                      May 6, 2021 15:35:21.986831903 CEST497548080192.168.2.323.239.2.11
                                                                                                                                      May 6, 2021 15:35:22.185918093 CEST80804975423.239.2.11192.168.2.3
                                                                                                                                      May 6, 2021 15:35:28.955775023 CEST4975580192.168.2.3206.210.104.194
                                                                                                                                      May 6, 2021 15:35:31.956150055 CEST4975580192.168.2.3206.210.104.194
                                                                                                                                      May 6, 2021 15:35:37.956674099 CEST4975580192.168.2.3206.210.104.194
                                                                                                                                      May 6, 2021 15:35:57.549324036 CEST497568080192.168.2.370.184.125.132
                                                                                                                                      May 6, 2021 15:36:00.552290916 CEST497568080192.168.2.370.184.125.132
                                                                                                                                      May 6, 2021 15:36:06.552738905 CEST497568080192.168.2.370.184.125.132
                                                                                                                                      May 6, 2021 15:36:27.669280052 CEST49757443192.168.2.3177.99.167.185
                                                                                                                                      May 6, 2021 15:36:30.679811001 CEST49757443192.168.2.3177.99.167.185
                                                                                                                                      May 6, 2021 15:36:36.695914030 CEST49757443192.168.2.3177.99.167.185
                                                                                                                                      May 6, 2021 15:36:51.982399940 CEST497638080192.168.2.3184.180.177.28
                                                                                                                                      May 6, 2021 15:36:54.994450092 CEST497638080192.168.2.3184.180.177.28
                                                                                                                                      May 6, 2021 15:37:00.995119095 CEST497638080192.168.2.3184.180.177.28
                                                                                                                                      May 6, 2021 15:37:22.571062088 CEST497648080192.168.2.3164.160.161.118
                                                                                                                                      May 6, 2021 15:37:25.575104952 CEST497648080192.168.2.3164.160.161.118
                                                                                                                                      May 6, 2021 15:37:31.575604916 CEST497648080192.168.2.3164.160.161.118
                                                                                                                                      May 6, 2021 15:37:47.713290930 CEST49765443192.168.2.3194.88.246.242
                                                                                                                                      May 6, 2021 15:37:50.717812061 CEST49765443192.168.2.3194.88.246.242
                                                                                                                                      May 6, 2021 15:37:56.734081030 CEST49765443192.168.2.3194.88.246.242
                                                                                                                                      May 6, 2021 15:38:11.055357933 CEST497664143192.168.2.371.244.60.231
                                                                                                                                      May 6, 2021 15:38:14.063576937 CEST497664143192.168.2.371.244.60.231
                                                                                                                                      May 6, 2021 15:38:20.064596891 CEST497664143192.168.2.371.244.60.231
                                                                                                                                      May 6, 2021 15:38:39.677284956 CEST497678080192.168.2.3121.50.43.110
                                                                                                                                      May 6, 2021 15:38:42.690911055 CEST497678080192.168.2.3121.50.43.110
                                                                                                                                      May 6, 2021 15:38:48.691518068 CEST497678080192.168.2.3121.50.43.110
                                                                                                                                      May 6, 2021 15:39:09.943407059 CEST49770465192.168.2.376.72.225.30
                                                                                                                                      May 6, 2021 15:39:12.943531036 CEST49770465192.168.2.376.72.225.30
                                                                                                                                      May 6, 2021 15:39:18.943975925 CEST49770465192.168.2.376.72.225.30
                                                                                                                                      May 6, 2021 15:39:34.473211050 CEST497718080192.168.2.378.47.182.42
                                                                                                                                      May 6, 2021 15:39:34.541766882 CEST80804977178.47.182.42192.168.2.3
                                                                                                                                      May 6, 2021 15:39:35.060199022 CEST497718080192.168.2.378.47.182.42
                                                                                                                                      May 6, 2021 15:39:35.131546974 CEST80804977178.47.182.42192.168.2.3
                                                                                                                                      May 6, 2021 15:39:35.632915974 CEST497718080192.168.2.378.47.182.42
                                                                                                                                      May 6, 2021 15:39:35.701473951 CEST80804977178.47.182.42192.168.2.3
                                                                                                                                      May 6, 2021 15:39:43.959913969 CEST497738080192.168.2.372.45.212.62
                                                                                                                                      May 6, 2021 15:39:46.962094069 CEST497738080192.168.2.372.45.212.62
                                                                                                                                      May 6, 2021 15:39:52.963308096 CEST497738080192.168.2.372.45.212.62
                                                                                                                                      May 6, 2021 15:40:06.485764980 CEST497748080192.168.2.3178.62.103.94
                                                                                                                                      May 6, 2021 15:40:06.544408083 CEST808049774178.62.103.94192.168.2.3
                                                                                                                                      May 6, 2021 15:40:07.057568073 CEST497748080192.168.2.3178.62.103.94
                                                                                                                                      May 6, 2021 15:40:07.115298033 CEST808049774178.62.103.94192.168.2.3
                                                                                                                                      May 6, 2021 15:40:07.620249987 CEST497748080192.168.2.3178.62.103.94
                                                                                                                                      May 6, 2021 15:40:07.679455996 CEST808049774178.62.103.94192.168.2.3

                                                                                                                                      UDP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      May 6, 2021 15:31:38.084664106 CEST5128153192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:31:38.133375883 CEST53512818.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:31:38.875128031 CEST4919953192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:31:38.924026966 CEST53491998.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:31:40.135498047 CEST5062053192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:31:40.188798904 CEST53506208.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:31:40.734615088 CEST6493853192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:31:40.797544003 CEST53649388.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:31:41.047353983 CEST6015253192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:31:41.104626894 CEST53601528.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:31:42.999820948 CEST5754453192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:31:43.051486969 CEST53575448.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:31:43.890919924 CEST5598453192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:31:43.942557096 CEST53559848.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:31:44.992003918 CEST6418553192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:31:45.041794062 CEST53641858.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:31:51.530123949 CEST6511053192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:31:51.579452038 CEST53651108.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:31:52.418654919 CEST5836153192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:31:52.472273111 CEST53583618.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:31:53.620870113 CEST6349253192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:31:53.671596050 CEST53634928.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:31:54.686939001 CEST6083153192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:31:54.739104033 CEST53608318.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:31:56.001687050 CEST6010053192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:31:56.074513912 CEST53601008.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:31:57.433892012 CEST5319553192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:31:57.493952036 CEST53531958.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:32:05.116862059 CEST5014153192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:32:05.177787066 CEST53501418.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:32:06.224091053 CEST5302353192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:32:06.273238897 CEST53530238.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:32:07.007700920 CEST4956353192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:32:07.056502104 CEST53495638.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:32:08.144681931 CEST5135253192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:32:08.194434881 CEST53513528.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:32:09.481647015 CEST5934953192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:32:09.530811071 CEST53593498.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:32:10.925484896 CEST5708453192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:32:10.974401951 CEST53570848.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:32:12.965795994 CEST5882353192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:32:13.019792080 CEST53588238.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:32:18.144351959 CEST5756853192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:32:18.210285902 CEST53575688.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:32:32.761187077 CEST5054053192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:32:32.818281889 CEST53505408.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:32:38.214631081 CEST5436653192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:32:38.268451929 CEST53543668.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:32:48.135454893 CEST5303453192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:32:48.201159000 CEST53530348.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:32:58.309468031 CEST5776253192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:32:58.381560087 CEST53577628.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:33:02.390981913 CEST5543553192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:33:02.450048923 CEST53554358.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:33:33.531208038 CEST5071353192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:33:33.590696096 CEST53507138.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:33:35.228432894 CEST5613253192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:33:35.305547953 CEST53561328.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:34:31.326277018 CEST5898753192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:34:31.477597952 CEST53589878.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:34:32.444911003 CEST5657953192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:34:32.633549929 CEST53565798.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:34:34.232649088 CEST6063353192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:34:34.290153980 CEST53606338.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:34:34.798852921 CEST6129253192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:34:34.848334074 CEST53612928.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:34:35.427118063 CEST6361953192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:34:35.596689939 CEST53636198.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:34:36.228682995 CEST6493853192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:34:36.342725039 CEST53649388.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:34:36.853194952 CEST6194653192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:34:36.902080059 CEST53619468.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:34:37.736552000 CEST6491053192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:34:37.794832945 CEST53649108.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:34:39.016161919 CEST5212353192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:34:39.081379890 CEST53521238.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:34:39.661691904 CEST5613053192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:34:39.721920967 CEST53561308.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:36:33.250901937 CEST5633853192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:36:33.299753904 CEST53563388.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:36:33.873608112 CEST5942053192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:36:33.930630922 CEST53594208.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:36:35.239774942 CEST5878453192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:36:35.299114943 CEST53587848.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:36:36.385766029 CEST6397853192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:36:36.451849937 CEST53639788.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:36:36.698124886 CEST6293853192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:36:36.759447098 CEST53629388.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:39:04.807533026 CEST5570853192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:39:04.877876997 CEST53557088.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:39:05.537774086 CEST5680353192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:39:05.613012075 CEST53568038.8.8.8192.168.2.3
                                                                                                                                      May 6, 2021 15:39:38.364568949 CEST5714553192.168.2.38.8.8.8
                                                                                                                                      May 6, 2021 15:39:38.438050032 CEST53571458.8.8.8192.168.2.3

                                                                                                                                      DNS Answers

                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                      May 6, 2021 15:36:33.299753904 CEST8.8.8.8192.168.2.30x9c3cNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                      May 6, 2021 15:39:04.877876997 CEST8.8.8.8192.168.2.30xa2d8No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)

                                                                                                                                      Code Manipulations

                                                                                                                                      Statistics

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      Analysis Process: uIsv6VTOek.exe PID: 5936 Parent PID: 5692

                                                                                                                                      General

                                                                                                                                      Start time:15:31:45
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Users\user\Desktop\uIsv6VTOek.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Users\user\Desktop\uIsv6VTOek.exe'
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:126976 bytes
                                                                                                                                      MD5 hash:3EE16BBC971BCEB22C5EA3B79F8F711D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.233356991.00000000005B1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Emotet, Description: Emotet Payload, Source: 00000000.00000002.233356991.00000000005B1000.00000020.00000001.sdmp, Author: kevoreilly
                                                                                                                                      Reputation:low

                                                                                                                                      Analysis Process: uIsv6VTOek.exe PID: 5980 Parent PID: 5936

                                                                                                                                      General

                                                                                                                                      Start time:15:31:56
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Users\user\Desktop\uIsv6VTOek.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Users\user\Desktop\uIsv6VTOek.exe
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:126976 bytes
                                                                                                                                      MD5 hash:3EE16BBC971BCEB22C5EA3B79F8F711D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.246701559.00000000005B1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Emotet, Description: Emotet Payload, Source: 00000004.00000002.246701559.00000000005B1000.00000020.00000001.sdmp, Author: kevoreilly
                                                                                                                                      Reputation:low

                                                                                                                                      Analysis Process: hyperlanes.exe PID: 3040 Parent PID: 568

                                                                                                                                      General

                                                                                                                                      Start time:15:31:58
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\SysWOW64\hyperlanes.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\SysWOW64\hyperlanes.exe
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:126976 bytes
                                                                                                                                      MD5 hash:3EE16BBC971BCEB22C5EA3B79F8F711D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.245530482.00000000005B1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Emotet, Description: Emotet Payload, Source: 00000005.00000002.245530482.00000000005B1000.00000020.00000001.sdmp, Author: kevoreilly
                                                                                                                                      Reputation:low

                                                                                                                                      Analysis Process: hyperlanes.exe PID: 3468 Parent PID: 3040

                                                                                                                                      General

                                                                                                                                      Start time:15:31:59
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\SysWOW64\hyperlanes.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\SysWOW64\hyperlanes.exe
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:126976 bytes
                                                                                                                                      MD5 hash:3EE16BBC971BCEB22C5EA3B79F8F711D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.1291468406.0000000000D11000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Emotet, Description: Emotet Payload, Source: 00000006.00000002.1291468406.0000000000D11000.00000020.00000001.sdmp, Author: kevoreilly
                                                                                                                                      Reputation:low

                                                                                                                                      Analysis Process: svchost.exe PID: 6024 Parent PID: 568

                                                                                                                                      General

                                                                                                                                      Start time:15:32:05
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                      Imagebase:0x7ff7488e0000
                                                                                                                                      File size:51288 bytes
                                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Analysis Process: svchost.exe PID: 1268 Parent PID: 568

                                                                                                                                      General

                                                                                                                                      Start time:15:32:09
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                      Imagebase:0x7ff7488e0000
                                                                                                                                      File size:51288 bytes
                                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Analysis Process: svchost.exe PID: 5844 Parent PID: 568

                                                                                                                                      General

                                                                                                                                      Start time:15:32:18
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                      Imagebase:0x7ff7488e0000
                                                                                                                                      File size:51288 bytes
                                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Analysis Process: svchost.exe PID: 5656 Parent PID: 568

                                                                                                                                      General

                                                                                                                                      Start time:15:32:20
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                                      Imagebase:0x7ff7488e0000
                                                                                                                                      File size:51288 bytes
                                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Analysis Process: svchost.exe PID: 4088 Parent PID: 568

                                                                                                                                      General

                                                                                                                                      Start time:15:32:21
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                                                                                      Imagebase:0x7ff63a9c0000
                                                                                                                                      File size:51288 bytes
                                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Analysis Process: svchost.exe PID: 5344 Parent PID: 568

                                                                                                                                      General

                                                                                                                                      Start time:15:32:22
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                                      Imagebase:0x7ff7ca4e0000
                                                                                                                                      File size:51288 bytes
                                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Analysis Process: svchost.exe PID: 1740 Parent PID: 568

                                                                                                                                      General

                                                                                                                                      Start time:15:32:23
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                                      Imagebase:0x7ff7488e0000
                                                                                                                                      File size:51288 bytes
                                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Analysis Process: svchost.exe PID: 484 Parent PID: 568

                                                                                                                                      General

                                                                                                                                      Start time:15:32:23
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                      Imagebase:0x7ff7488e0000
                                                                                                                                      File size:51288 bytes
                                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Analysis Process: SgrmBroker.exe PID: 3652 Parent PID: 568

                                                                                                                                      General

                                                                                                                                      Start time:15:32:24
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                                      Imagebase:0x7ff71c640000
                                                                                                                                      File size:163336 bytes
                                                                                                                                      MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Analysis Process: svchost.exe PID: 5560 Parent PID: 568

                                                                                                                                      General

                                                                                                                                      Start time:15:32:25
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                                      Imagebase:0x7ff7488e0000
                                                                                                                                      File size:51288 bytes
                                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Analysis Process: svchost.exe PID: 6504 Parent PID: 568

                                                                                                                                      General

                                                                                                                                      Start time:15:32:38
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                      Imagebase:0x7ff7488e0000
                                                                                                                                      File size:51288 bytes
                                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                      Analysis Process: MpCmdRun.exe PID: 1004 Parent PID: 5560

                                                                                                                                      General

                                                                                                                                      Start time:15:33:25
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                                                                                                                                      Imagebase:0x7ff705e40000
                                                                                                                                      File size:455656 bytes
                                                                                                                                      MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                      Analysis Process: conhost.exe PID: 1000 Parent PID: 1004

                                                                                                                                      General

                                                                                                                                      Start time:15:33:26
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff6b2800000
                                                                                                                                      File size:625664 bytes
                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                      Analysis Process: svchost.exe PID: 6596 Parent PID: 568

                                                                                                                                      General

                                                                                                                                      Start time:15:34:28
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                      Imagebase:0x7ff7488e0000
                                                                                                                                      File size:51288 bytes
                                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                      Analysis Process: svchost.exe PID: 6904 Parent PID: 568

                                                                                                                                      General

                                                                                                                                      Start time:15:36:31
                                                                                                                                      Start date:06/05/2021
                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                      Imagebase:0x7ff7488e0000
                                                                                                                                      File size:51288 bytes
                                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                      Disassembly

                                                                                                                                      Code Analysis

                                                                                                                                      Reset < >