Loading ...

Play interactive tourEdit tour

Windows Analysis Report boI88C399w.exe

Overview

General Information

Sample Name:boI88C399w.exe
Analysis ID:437123
MD5:0a82064af051bad014b77038d60474b6
SHA1:f7bf190091d5fe307cfaeed630eeb341c935bda0
SHA256:8f165a26d7e9ad72cb0d51cf01076cc4b0099a244cd4e702645d36dc788dd0cc
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • boI88C399w.exe (PID: 7052 cmdline: 'C:\Users\user\Desktop\boI88C399w.exe' MD5: 0A82064AF051BAD014B77038D60474B6)
    • splwow64.exe (PID: 7072 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)
    • KBDHU1.exe (PID: 4780 cmdline: C:\Windows\SysWOW64\mos\KBDHU1.exe MD5: 0A82064AF051BAD014B77038D60474B6)
  • svchost.exe (PID: 7108 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6812 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7032 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5932 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["88.153.35.32:80", "107.170.146.252:8080", "173.212.214.235:7080", "167.114.153.111:8080", "202.141.243.254:443", "75.143.247.51:80", "85.105.111.166:80", "216.139.123.119:80", "113.61.66.94:80", "162.241.140.129:8080", "190.12.119.180:443", "2.58.16.89:8080", "91.211.88.52:7080", "93.147.212.206:80", "71.15.245.148:8080", "157.245.99.39:8080", "27.114.9.93:80", "50.91.114.38:80", "174.106.122.139:80", "47.36.140.164:80", "139.162.60.124:8080", "209.54.13.14:80", "217.20.166.178:7080", "185.94.252.104:443", "72.186.136.247:443", "172.86.188.251:8080", "41.185.28.84:8080", "87.106.139.101:8080", "89.216.122.92:80", "108.46.29.236:80", "184.180.181.202:80", "173.63.222.65:80", "120.150.60.189:80", "62.30.7.67:443", "139.99.158.11:443", "220.245.198.194:80", "138.68.87.218:443", "201.241.127.190:80", "186.74.215.34:80", "190.162.215.233:80", "24.178.90.49:80", "89.121.205.18:80", "5.39.91.110:7080", "59.125.219.109:443", "182.208.30.18:443", "123.176.25.234:80", "24.137.76.62:80", "74.208.45.104:8080", "194.187.133.160:443", "37.179.204.33:80", "194.4.58.192:7080", "95.9.5.93:80", "67.170.250.203:443", "61.33.119.226:443", "96.245.227.43:80", "68.115.186.26:80", "190.108.228.27:443", "112.185.64.233:80", "176.111.60.55:8080", "91.146.156.228:80", "190.240.194.77:443", "115.94.207.99:443", "62.171.142.179:8080", "134.209.144.106:443", "168.235.67.138:7080", "124.41.215.226:80", "172.104.97.173:8080", "202.134.4.216:8080", "94.200.114.161:80", "67.163.161.107:80", "61.76.222.210:80", "97.82.79.83:80", "74.214.230.200:80", "46.105.131.79:8080", "78.188.106.53:443", "186.70.56.94:443", "120.150.218.241:443", "50.245.107.73:443", "123.142.37.166:80", "110.145.77.103:80", "61.19.246.238:443", "218.147.193.146:80", "94.230.70.6:80", "154.91.33.137:443", "104.131.11.150:443", "95.213.236.64:8080", "49.50.209.131:80", "187.161.206.24:80", "37.139.21.175:8080", "121.124.124.40:7080", "200.116.145.225:443", "24.230.141.169:80", "194.190.67.75:80", "209.141.54.221:7080", "137.59.187.107:8080", "217.123.207.149:80", "24.133.106.23:80", "79.137.83.50:443", "24.179.13.119:80", "202.134.4.211:8080", "78.24.219.147:8080", "76.175.162.101:80", "121.7.31.214:80", "62.75.141.82:80", "109.74.5.95:8080", "75.188.96.231:80", "176.113.52.6:443", "50.35.17.13:80", "118.83.154.64:443", "110.142.236.207:80", "188.219.31.12:80", "72.143.73.234:443", "102.182.93.220:80", "66.76.12.94:8080", "103.86.49.11:8080", "190.164.104.62:80", "203.153.216.189:7080", "119.59.116.21:8080", "172.105.13.66:443", "94.23.237.171:443", "49.3.224.99:8080", "139.59.60.244:8080", "172.91.208.86:80"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000005.00000003.716674491.00000000032E2000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000000.00000003.658508716.0000000000602000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000005.00000002.906600906.00000000032D0000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.boI88C399w.exe.62a3d0.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              0.2.boI88C399w.exe.62a3d0.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                0.2.boI88C399w.exe.2cc0000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  5.3.KBDHU1.exe.32e32a0.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    0.2.boI88C399w.exe.62a3d0.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: boI88C399w.exeAvira: detected
                      Found malware configurationShow sources
                      Source: 0.3.boI88C399w.exe.62a3d0.0.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["88.153.35.32:80", "107.170.146.252:8080", "173.212.214.235:7080", "167.114.153.111:8080", "202.141.243.254:443", "75.143.247.51:80", "85.105.111.166:80", "216.139.123.119:80", "113.61.66.94:80", "162.241.140.129:8080", "190.12.119.180:443", "2.58.16.89:8080", "91.211.88.52:7080", "93.147.212.206:80", "71.15.245.148:8080", "157.245.99.39:8080", "27.114.9.93:80", "50.91.114.38:80", "174.106.122.139:80", "47.36.140.164:80", "139.162.60.124:8080", "209.54.13.14:80", "217.20.166.178:7080", "185.94.252.104:443", "72.186.136.247:443", "172.86.188.251:8080", "41.185.28.84:8080", "87.106.139.101:8080", "89.216.122.92:80", "108.46.29.236:80", "184.180.181.202:80", "173.63.222.65:80", "120.150.60.189:80", "62.30.7.67:443", "139.99.158.11:443", "220.245.198.194:80", "138.68.87.218:443", "201.241.127.190:80", "186.74.215.34:80", "190.162.215.233:80", "24.178.90.49:80", "89.121.205.18:80", "5.39.91.110:7080", "59.125.219.109:443", "182.208.30.18:443", "123.176.25.234:80", "24.137.76.62:80", "74.208.45.104:8080", "194.187.133.160:443", "37.179.204.33:80", "194.4.58.192:7080", "95.9.5.93:80", "67.170.250.203:443", "61.33.119.226:443", "96.245.227.43:80", "68.115.186.26:80", "190.108.228.27:443", "112.185.64.233:80", "176.111.60.55:8080", "91.146.156.228:80", "190.240.194.77:443", "115.94.207.99:443", "62.171.142.179:8080", "134.209.144.106:443", "168.235.67.138:7080", "124.41.215.226:80", "172.104.97.173:8080", "202.134.4.216:8080", "94.200.114.161:80", "67.163.161.107:80", "61.76.222.210:80", "97.82.79.83:80", "74.214.230.200:80", "46.105.131.79:8080", "78.188.106.53:443", "186.70.56.94:443", "120.150.218.241:443", "50.245.107.73:443", "123.142.37.166:80", "110.145.77.103:80", "61.19.246.238:443", "218.147.193.146:80", "94.230.70.6:80", "154.91.33.137:443", "104.131.11.150:443", "95.213.236.64:8080", "49.50.209.131:80", "187.161.206.24:80", "37.139.21.175:8080", "121.124.124.40:7080", "200.116.145.225:443", "24.230.141.169:80", "194.190.67.75:80", "209.141.54.221:7080", "137.59.187.107:8080", "217.123.207.149:80", "24.133.106.23:80", "79.137.83.50:443", "24.179.13.119:80", "202.134.4.211:8080", "78.24.219.147:8080", "76.175.162.101:80", "121.7.31.214:80", "62.75.141.82:80", "109.74.5.95:8080", "75.188.96.231:80", "176.113.52.6:443", "50.35.17.13:80", "118.83.154.64:443", "110.142.236.207:80", "188.219.31.12:80", "72.143.73.234:443", "102.182.93.220:80", "66.76.12.94:8080", "103.86.49.11:8080", "190.164.104.62:80", "203.153.216.189:7080", "119.59.116.21:8080", "172.105.13.66:443", "94.23.237.171:443", "49.3.224.99:8080", "139.59.60.244:8080", "172.91.208.86:80"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: boI88C399w.exeVirustotal: Detection: 81%Perma Link
                      Source: boI88C399w.exeMetadefender: Detection: 71%Perma Link
                      Source: boI88C399w.exeReversingLabs: Detection: 89%
                      Machine Learning detection for sampleShow sources
                      Source: boI88C399w.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\mos\KBDHU1.exeCode function: 5_2_02342650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,5_2_02342650
                      Source: C:\Windows\SysWOW64\mos\KBDHU1.exeCode function: 5_2_02342290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,5_2_02342290
                      Source: C:\Windows\SysWOW64\mos\KBDHU1.exeCode function: 5_2_02341FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptDuplicateHash,5_2_02341FB0
                      Source: boI88C399w.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\boI88C399w.exeCode function: 0_2_02CC38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,0_2_02CC38F0
                      Source: C:\Windows\SysWOW64\mos\KBDHU1.exeCode function: 5_2_023438F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,5_2_023438F0

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 88.153.35.32:80
                      Source: Malware configuration extractorIPs: 107.170.146.252:8080
                      Source: Malware configuration extractorIPs: 173.212.214.235:7080
                      Source: Malware configuration extractorIPs: 167.114.153.111:8080
                      Source: Malware configuration extractorIPs: 202.141.243.254:443
                      Source: Malware configuration extractorIPs: 75.143.247.51:80
                      Source: Malware configuration extractorIPs: 85.105.111.166:80
                      Source: Malware configuration extractorIPs: 216.139.123.119:80
                      Source: Malware configuration extractorIPs: 113.61.66.94:80
                      Source: Malware configuration extractorIPs: 162.241.140.129:8080
                      Source: Malware configuration extractorIPs: 190.12.119.180:443
                      Source: Malware configuration extractorIPs: 2.58.16.89:8080
                      Source: Malware configuration extractorIPs: 91.211.88.52:7080
                      Source: Malware configuration extractorIPs: 93.147.212.206:80
                      Source: Malware configuration extractorIPs: 71.15.245.148:8080
                      Source: Malware configuration extractorIPs: 157.245.99.39:8080
                      Source: Malware configuration extractorIPs: 27.114.9.93:80
                      Source: Malware configuration extractorIPs: 50.91.114.38:80
                      Source: Malware configuration extractorIPs: 174.106.122.139:80
                      Source: Malware configuration extractorIPs: 47.36.140.164:80
                      Source: Malware configuration extractorIPs: 139.162.60.124:8080
                      Source: Malware configuration extractorIPs: 209.54.13.14:80
                      Source: Malware configuration extractorIPs: 217.20.166.178:7080
                      Source: Malware configuration extractorIPs: 185.94.252.104:443
                      Source: Malware configuration extractorIPs: 72.186.136.247:443
                      Source: Malware configuration extractorIPs: 172.86.188.251:8080
                      Source: Malware configuration extractorIPs: 41.185.28.84:8080
                      Source: Malware configuration extractorIPs: 87.106.139.101:8080
                      Source: Malware configuration extractorIPs: 89.216.122.92:80
                      Source: Malware configuration extractorIPs: 108.46.29.236:80
                      Source: Malware configuration extractorIPs: 184.180.181.202:80
                      Source: Malware configuration extractorIPs: 173.63.222.65:80
                      Source: Malware configuration extractorIPs: 120.150.60.189:80
                      Source: Malware configuration extractorIPs: 62.30.7.67:443
                      Source: Malware configuration extractorIPs: 139.99.158.11:443
                      Source: Malware configuration extractorIPs: 220.245.198.194:80
                      Source: Malware configuration extractorIPs: 138.68.87.218:443
                      Source: Malware configuration extractorIPs: 201.241.127.190:80
                      Source: Malware configuration extractorIPs: 186.74.215.34:80
                      Source: Malware configuration extractorIPs: 190.162.215.233:80
                      Source: Malware configuration extractorIPs: 24.178.90.49:80
                      Source: Malware configuration extractorIPs: 89.121.205.18:80
                      Source: Malware configuration extractorIPs: 5.39.91.110:7080
                      Source: Malware configuration extractorIPs: 59.125.219.109:443
                      Source: Malware configuration extractorIPs: 182.208.30.18:443
                      Source: Malware configuration extractorIPs: 123.176.25.234:80
                      Source: Malware configuration extractorIPs: 24.137.76.62:80
                      Source: Malware configuration extractorIPs: 74.208.45.104:8080
                      Source: Malware configuration extractorIPs: 194.187.133.160:443
                      Source: Malware configuration extractorIPs: 37.179.204.33:80
                      Source: Malware configuration extractorIPs: 194.4.58.192:7080
                      Source: Malware configuration extractorIPs: 95.9.5.93:80
                      Source: Malware configuration extractorIPs: 67.170.250.203:443
                      Source: Malware configuration extractorIPs: 61.33.119.226:443
                      Source: Malware configuration extractorIPs: 96.245.227.43:80
                      Source: Malware configuration extractorIPs: 68.115.186.26:80
                      Source: Malware configuration extractorIPs: 190.108.228.27:443
                      Source: Malware configuration extractorIPs: 112.185.64.233:80
                      Source: Malware configuration extractorIPs: 176.111.60.55:8080
                      Source: Malware configuration extractorIPs: 91.146.156.228:80
                      Source: Malware configuration extractorIPs: 190.240.194.77:443
                      Source: Malware configuration extractorIPs: 115.94.207.99:443
                      Source: Malware configuration extractorIPs: 62.171.142.179:8080
                      Source: Malware configuration extractorIPs: 134.209.144.106:443
                      Source: Malware configuration extractorIPs: 168.235.67.138:7080
                      Source: Malware configuration extractorIPs: 124.41.215.226:80
                      Source: Malware configuration extractorIPs: 172.104.97.173:8080
                      Source: Malware configuration extractorIPs: 202.134.4.216:8080
                      Source: Malware configuration extractorIPs: 94.200.114.161:80
                      Source: Malware configuration extractorIPs: 67.163.161.107:80
                      Source: Malware configuration extractorIPs: 61.76.222.210:80
                      Source: Malware configuration extractorIPs: 97.82.79.83:80
                      Source: Malware configuration extractorIPs: 74.214.230.200:80
                      Source: Malware configuration extractorIPs: 46.105.131.79:8080
                      Source: Malware configuration extractorIPs: 78.188.106.53:443
                      Source: Malware configuration extractorIPs: 186.70.56.94:443
                      Source: Malware configuration extractorIPs: 120.150.218.241:443
                      Source: Malware configuration extractorIPs: 50.245.107.73:443
                      Source: Malware configuration extractorIPs: 123.142.37.166:80
                      Source: Malware configuration extractorIPs: 110.145.77.103:80
                      Source: Malware configuration extractorIPs: 61.19.246.238:443
                      Source: Malware configuration extractorIPs: 218.147.193.146:80
                      Source: Malware configuration extractorIPs: 94.230.70.6:80
                      Source: Malware configuration extractorIPs: 154.91.33.137:443
                      Source: Malware configuration extractorIPs: 104.131.11.150:443
                      Source: Malware configuration extractorIPs: 95.213.236.64:8080
                      Source: Malware configuration extractorIPs: 49.50.209.131:80
                      Source: Malware configuration extractorIPs: 187.161.206.24:80
                      Source: Malware configuration extractorIPs: 37.139.21.175:8080
                      Source: Malware configuration extractorIPs: 121.124.124.40:7080
                      Source: Malware configuration extractorIPs: 200.116.145.225:443
                      Source: Malware configuration extractorIPs: 24.230.141.169:80
                      Source: Malware configuration extractorIPs: 194.190.67.75:80
                      Source: Malware configuration extractorIPs: 209.141.54.221:7080
                      Source: Malware configuration extractorIPs: 137.59.187.107:8080
                      Source: Malware configuration extractorIPs: 217.123.207.149:80
                      Source: Malware configuration extractorIPs: 24.133.106.23:80
                      Source: Malware configuration extractorIPs: 79.137.83.50:443
                      Source: Malware configuration extractorIPs: 24.179.13.119:80
                      Source: Malware configuration extractorIPs: 202.134.4.211:8080
                      Source: Malware configuration extractorIPs: 78.24.219.147:8080
                      Source: Malware configuration extractorIPs: 76.175.162.101:80
                      Source: Malware configuration extractorIPs: 121.7.31.214:80
                      Source: Malware configuration extractorIPs: 62.75.141.82:80
                      Source: Malware configuration extractorIPs: 109.74.5.95:8080
                      Source: Malware configuration extractorIPs: 75.188.96.231:80
                      Source: Malware configuration extractorIPs: 176.113.52.6:443
                      Source: Malware configuration extractorIPs: 50.35.17.13:80
                      Source: Malware configuration extractorIPs: 118.83.154.64:443
                      Source: Malware configuration extractorIPs: 110.142.236.207:80
                      Source: Malware configuration extractorIPs: 188.219.31.12:80
                      Source: Malware configuration extractorIPs: 72.143.73.234:443
                      Source: Malware configuration extractorIPs: 102.182.93.220:80
                      Source: Malware configuration extractorIPs: 66.76.12.94:8080
                      Source: Malware configuration extractorIPs: 103.86.49.11:8080
                      Source: Malware configuration extractorIPs: 190.164.104.62:80
                      Source: Malware configuration extractorIPs: 203.153.216.189:7080
                      Source: Malware configuration extractorIPs: 119.59.116.21:8080
                      Source: Malware configuration extractorIPs: 172.105.13.66:443
                      Source: Malware configuration extractorIPs: 94.23.237.171:443
                      Source: Malware configuration extractorIPs: 49.3.224.99:8080
                      Source: Malware configuration extractorIPs: 139.59.60.244:8080
                      Source: Malware configuration extractorIPs: 172.91.208.86:80
                      Source: unknownNetwork traffic detected: IP country count 36
                      Source: global trafficTCP traffic: 192.168.2.4:49759 -> 107.170.146.252:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 173.212.214.235:7080
                      Source: global trafficTCP traffic: 192.168.2.4:49769 -> 167.114.153.111:8080
                      Source: Joe Sandbox ViewIP Address: 200.116.145.225 200.116.145.225
                      Source: Joe Sandbox ViewASN Name: HOSTER-KZ HOSTER-KZ
                      Source: Joe Sandbox ViewASN Name: AfrihostZA AfrihostZA
                      Source: Joe Sandbox ViewASN Name: TTNETTR TTNETTR
                      Source: global trafficTCP traffic: 192.168.2.4:49746 -> 88.153.35.32:80
                      Source: global trafficTCP traffic: 192.168.2.4:49770 -> 202.141.243.254:443
                      Source: global trafficTCP traffic: 192.168.2.4:49773 -> 75.143.247.51:80
                      Source: unknownTCP traffic detected without corresponding DNS query: 88.153.35.32
                      Source: unknownTCP traffic detected without corresponding DNS query: 88.153.35.32
                      Source: unknownTCP traffic detected without corresponding DNS query: 88.153.35.32
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.170.146.252
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.170.146.252
                      Source: unknownTCP traffic detected without corresponding DNS query: 107.170.146.252
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 202.141.243.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 202.141.243.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 202.141.243.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 75.143.247.51
                      Source: unknownTCP traffic detected without corresponding DNS query: 75.143.247.51
                      Source: unknownTCP traffic detected without corresponding DNS query: 75.143.247.51
                      Source: svchost.exe, 0000000B.00000002.764648647.00000270E6470000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000000B.00000002.764648647.00000270E6470000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000000B.00000003.753034318.00000270E6B89000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-10T07:22:21.3909598Z||.||3f037643-6aef-47de-81ac-01c99fe373ef||1152921505693535664||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 0000000B.00000003.753034318.00000270E6B89000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-10T07:22:21.3909598Z||.||3f037643-6aef-47de-81ac-01c99fe373ef||1152921505693535664||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 0000000B.00000003.741257022.00000270E6B71000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
                      Source: svchost.exe, 0000000B.00000003.741257022.00000270E6B71000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
                      Source: svchost.exe, 0000000B.00000003.741257022.00000270E6B71000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
                      Source: svchost.exe, 0000000B.00000003.744431076.00000270E6B73000.00000004.00000001.sdmpString found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-18T23:36:16.7415859Z||.||68d5c39b-b63c-4bf8-a1a4-8ce696a01371||1152921505693597400||Null||prerelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-06-18T23:35:29.3168730Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
                      Source: svchost.exe, 0000000B.00000003.744410269.00000270E6B83000.00000004.00000001.sdmpString found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-18T23:36:16.7415859Z||.||68d5c39b-b63c-4bf8-a1a4-8ce696a01371||1152921505693597400||Null||prerelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-06-18T23:35:29.3168730Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE F
                      Source: KBDHU1.exe, 00000005.00000003.819264277.000000000073D000.00000004.00000001.sdmp, KBDHU1.exe, 00000005.00000002.906600906.00000000032D0000.00000004.00000001.sdmpString found in binary or memory: http://107.170.146.252:8080/yYXdTFdZ0/DfPFFYTbrJqLTvn/OUI1VCQMV00VFH/tItqVujt/djBiHrQbZlsTCQpMosu/bq
                      Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp, KBDHU1.exe, 00000005.00000002.906600906.00000000032D0000.00000004.00000001.sdmpString found in binary or memory: http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/
                      Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmpString found in binary or memory: http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/(
                      Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmpString found in binary or memory: http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW//
                      Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmpString found in binary or memory: http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/6
                      Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmpString found in binary or memory: http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/K
                      Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmpString found in binary or memory: http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/v
                      Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp, KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmpString found in binary or memory: http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0/
                      Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmpString found in binary or memory: http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0//
                      Source: KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmpString found in binary or memory: http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0//tItqVujt/djBiHrQbZlsTCQpMosu/bqx
                      Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmpString found in binary or memory: http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0/A:
                      Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmpString found in binary or memory: http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/
                      Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmpString found in binary or memory: http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/)5Z%
                      Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmpString found in binary or memory: http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/750%
                      Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmpString found in binary or memory: http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/x
                      Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp, KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmpString found in binary or memory: http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/
                      Source: KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmpString found in binary or memory: http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/)
                      Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmpString found in binary or memory: http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/Q
                      Source: KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmpString found in binary or memory: http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/R
                      Source: KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmpString found in binary or memory: http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/V
                      Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmpString found in binary or memory: http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/s
                      Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmpString found in binary or memory: http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/v5s%
                      Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp, KBDHU1.exe, 00000005.00000003.819264277.000000000073D000.00000004.00000001.sdmpString found in binary or memory: http://88.153.35.32/jGQKlmkSoBBnbOFUuBG/9vXEjmEP4GznF/
                      Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmpString found in binary or memory: http://88.153.35.32/jGQKlmkSoBBnbOFUuBG/9vXEjmEP4GznF/&
                      Source: svchost.exe, 0000000B.00000002.764897589.00000270E69F0000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: svchost.exe, 0000000B.00000002.764897589.00000270E69F0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: svchost.exe, 0000000B.00000002.764897589.00000270E69F0000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: svchost.exe, 0000000B.00000002.764897589.00000270E69F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: svchost.exe, 0000000B.00000003.750587188.00000270E6B79000.00000004.00000001.sdmpString found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
                      Source: svchost.exe, 0000000B.00000003.741257022.00000270E6B71000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                      Source: svchost.exe, 0000000B.00000003.741257022.00000270E6B71000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                      Source: svchost.exe, 0000000B.00000002.764765099.00000270E64EC000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.
                      Source: svchost.exe, 0000000B.00000003.750528544.00000270E6B94000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.750587188.00000270E6B79000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
                      Source: svchost.exe, 0000000B.00000003.750574103.00000270E6B69000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
                      Source: svchost.exe, 0000000B.00000003.750528544.00000270E6B94000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.750587188.00000270E6B79000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
                      Source: svchost.exe, 0000000B.00000003.741257022.00000270E6B71000.00000004.00000001.sdmpString found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
                      Source: svchost.exe, 0000000B.00000003.750528544.00000270E6B94000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.750587188.00000270E6B79000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
                      Source: svchost.exe, 0000000B.00000003.750528544.00000270E6B94000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.750587188.00000270E6B79000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                      Source: KBDHU1.exe, 00000005.00000002.905874375.000000000070A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.716674491.00000000032E2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.658508716.0000000000602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.906600906.00000000032D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.661246086.0000000000602000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.boI88C399w.exe.62a3d0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.boI88C399w.exe.62a3d0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.boI88C399w.exe.2cc0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.KBDHU1.exe.32e32a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.boI88C399w.exe.62a3d0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.KBDHU1.exe.32e32a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.KBDHU1.exe.32e32a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.KBDHU1.exe.2340000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.KBDHU1.exe.32e32a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.boI88C399w.exe.62a3d0.0.raw.unpack, type: UNPACKEDPE
                      Source: C:\Windows\SysWOW64\mos\KBDHU1.exeCode function: 5_2_02342650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,5_2_02342650
                      Source: C:\Users\user\Desktop\boI88C399w.exeCode function: 0_2_02CB01F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_02CB01F0
                      Source: C:\Windows\SysWOW64\mos\KBDHU1.exeCode function: 5_2_022E01F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,5_2_022E01F0
                      Source: C:\Users\user\Desktop\boI88C399w.exeFile created: C:\Windows\SysWOW64\mos\Jump to behavior
                      Source: C:\Users\user\Desktop\boI88C399w.exeFile deleted: C:\Windows\SysWOW64\mos\KBDHU1.exe:Zone.IdentifierJump to behavior
                      Source: C:\Users\user\Desktop\boI88C399w.exeCode function: 0_2_00451D800_2_00451D80
                      Source: C:\Users\user\Desktop\boI88C399w.exeCode function: 0_2_02CC82400_2_02CC8240
                      Source: C:\Users\user\Desktop\boI88C399w.exeCode function: 0_2_02CC3BA00_2_02CC3BA0
                      Source: C:\Users\user\Desktop\boI88C399w.exeCode function: 0_2_02CC77400_2_02CC7740
                      Source: C:\Users\user\Desktop\boI88C399w.exeCode function: 0_2_02CC3F200_2_02CC3F20
                      Source: C:\Users\user\Desktop\boI88C399w.exeCode function: 0_2_02CC1C700_2_02CC1C70
                      Source: C:\Users\user\Desktop\boI88C399w.exeCode function: 0_2_02CC3D100_2_02CC3D10
                      Source: C:\Users\user\Desktop\boI88C399w.exeCode function: 0_2_02CC65300_2_02CC6530
                      Source: C:\Windows\SysWOW64\mos\KBDHU1.exeCode function: 5_2_023482405_2_02348240
                      Source: C:\Windows\SysWOW64\mos\KBDHU1.exeCode function: 5_2_023465305_2_02346530
                      Source: C:\Windows\SysWOW64\mos\KBDHU1.exeCode function: 5_2_02343F205_2_02343F20
                      Source: C:\Windows\SysWOW64\mos\KBDHU1.exeCode function: 5_2_02343D105_2_02343D10
                      Source: C:\Windows\SysWOW64\mos\KBDHU1.exeCode function: 5_2_02341C705_2_02341C70
                      Source: C:\Windows\SysWOW64\mos\KBDHU1.exeCode function: 5_2_023477405_2_02347740
                      Source: C:\Windows\SysWOW64\mos\KBDHU1.exeCode function: 5_2_02343BA05_2_02343BA0
                      Source: boI88C399w.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: boI88C399w.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: boI88C399w.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: boI88C399w.exe, 00000000.00000002.665279497.00000000039C0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs boI88C399w.exe
                      Source: boI88C399w.exe, 00000000.00000002.665566623.0000000003AC0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs boI88C399w.exe
                      Source: boI88C399w.exe, 00000000.00000002.665566623.0000000003AC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs boI88C399w.exe
                      Source: boI88C399w.exe, 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSEKPaint2.exe vs boI88C399w.exe
                      Source: boI88C399w.exeBinary or memory string: OriginalFilenameSEKPaint2.exe vs boI88C399w.exe
                      Source: boI88C399w.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: boI88C399w.exeBinary or memory string: F*\AC:\sekpaint20\SEKPaint2.vbp
                      Source: boI88C399w.exe, 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp, KBDHU1.exe, 00000005.00000002.905733350.000000000046C000.00000004.00020000.sdmpBinary or memory string: @*\AC:\sekpaint20\SEKPaint2.vbp
                      Source: classification engineClassification label: mal88.troj.evad.winEXE@9/0@0/100
                      Source: C:\Users\user\Desktop\boI88C399w.exeCode function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,0_2_02CC87D0
                      Source: C:\Windows\SysWOW64\mos\KBDHU1.exeCode function: 5_2_02344CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,5_2_02344CB0
                      Source: C:\Users\user\Desktop\boI88C399w.exeCode function: 0_2_02CC5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,0_2_02CC5070
                      Source: boI88C399w.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\boI88C399w.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mos\KBDHU1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                      Source: C:\Users\user\Desktop\boI88C399w.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\boI88C399w.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: boI88C399w.exeVirustotal: Detection: 81%
                      Source: boI88C399w.exeMetadefender: Detection: 71%
                      Source: boI88C399w.exeReversingLabs: Detection: 89%
                      Source: unknownProcess created: C:\Users\user\Desktop\boI88C399w.exe 'C:\Users\user\Desktop\boI88C399w.exe'
                      Source: C:\Users\user\Desktop\boI88C399w.exeProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
                      Source: C:\Users\user\Desktop\boI88C399w.exeProcess created: C:\Windows\SysWOW64\mos\KBDHU1.exe C:\Windows\SysWOW64\mos\KBDHU1.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\Desktop\boI88C399w.exeProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
                      Source: C:\Users\user\Desktop\boI88C399w.exeProcess created: C:\Windows\SysWOW64\mos\KBDHU1.exe C:\Windows\SysWOW64\mos\KBDHU1.exeJump to behavior
                      Source: C:\Users\user\Desktop\boI88C399w.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32Jump to behavior
                      Source: boI88C399w.exeStatic PE information: real checksum: 0x8839b should be: 0x8f92d
                      Source: C:\Users\user\Desktop\boI88C399w.exeCode functio