Loading ...

Play interactive tourEdit tour

Windows Analysis Report YDArk.exe

Overview

General Information

Sample Name:YDArk.exe
Analysis ID:498259
MD5:9254b5e792af1a459b2af8d67c4ffada
SHA1:b4d50db2e0dc04c3d91aa74be0f188c1da50165e
SHA256:40dd45c8c2557a0e8dd0c9afa521fa415653e9465b61b21241daf491477fe1b9
Infos:

Most interesting Screenshot:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect virtualization through RDTSC time measurements
Changes security center settings (notifications, updates, antivirus, firewall)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
PE file contains strange resources
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected TCP or UDP traffic on non-standard ports
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Entry point lies outside standard sections
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • YDArk.exe (PID: 6920 cmdline: 'C:\Users\user\Desktop\YDArk.exe' MD5: 9254B5E792AF1A459B2AF8D67C4FFADA)
  • svchost.exe (PID: 6928 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4020 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1360 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5744 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 3640 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 2368 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 1296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 672 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4356 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2148 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5304 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: YDArk.exeVirustotal: Detection: 30%Perma Link
Source: YDArk.exeReversingLabs: Detection: 21%
Source: YDArk.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: G:\code\YDArk\1.0.2.2\Release\YDArk.pdb source: YDArk.exe
Source: global trafficTCP traffic: 192.168.2.3:49787 -> 47.102.143.195:9999
Source: unknownTCP traffic detected without corresponding DNS query: 47.102.143.195
Source: unknownTCP traffic detected without corresponding DNS query: 47.102.143.195
Source: unknownTCP traffic detected without corresponding DNS query: 47.102.143.195
Source: svchost.exe, 0000000E.00000002.389179462.000001E436348000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000E.00000002.389179462.000001E436348000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000E.00000002.389179462.000001E436348000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-10-01T06:45:58.4458116Z||.||e7745a23-b714-4fea-8a92-51e83dc3bf63||1152921505693962166||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000E.00000002.389179462.000001E436348000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-10-01T06:45:58.4458116Z||.||e7745a23-b714-4fea-8a92-51e83dc3bf63||1152921505693962166||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000E.00000003.367059268.000001E4363D8000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e
Source: svchost.exe, 0000000E.00000003.367059268.000001E4363D8000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e
Source: svchost.exe, 0000000E.00000003.367059268.000001E4363D8000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e
Source: svchost.exe, 0000000E.00000003.367046140.000001E4363A6000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6
Source: svchost.exe, 0000000E.00000003.367046140.000001E4363A6000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6
Source: svchost.exe, 0000000E.00000003.367046140.000001E4363A6000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6
Source: YDArk.exe, 00000000.00000002.548049519.00000227B6B6E000.00000004.00000020.sdmpString found in binary or memory: http://47.102.143.195:9999/
Source: YDArk.exe, 00000000.00000002.548049519.00000227B6B6E000.00000004.00000020.sdmpString found in binary or memory: http://47.102.143.195:9999/%o
Source: YDArk.exe, 00000000.00000002.549506468.00000227B86B4000.00000004.00000040.sdmpString found in binary or memory: http://47.102.143.195:9999/0gk
Source: YDArk.exe, 00000000.00000002.548049519.00000227B6B6E000.00000004.00000020.sdmpString found in binary or memory: http://47.102.143.195:9999/ace
Source: YDArk.exe, 00000000.00000002.548049519.00000227B6B6E000.00000004.00000020.sdmpString found in binary or memory: http://47.102.143.195:9999/rk
Source: svchost.exe, 0000000E.00000002.389124772.000001E436300000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000E.00000002.388982874.000001E435AEC000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000E.00000003.368025747.000001E436820000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367996913.000001E43638A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367933787.000001E43638A000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000003.00000002.305394920.0000027FA8E13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000E.00000003.367059268.000001E4363D8000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367046140.000001E4363A6000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000E.00000003.367059268.000001E4363D8000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367046140.000001E4363A6000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000001.00000002.548084769.000001DD49A29000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000001.00000002.548084769.000001DD49A29000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000001.00000002.548084769.000001DD49A29000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000001.00000002.548084769.000001DD49A29000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000001.00000002.548084769.000001DD49A29000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000003.376770289.000001E4363C3000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.376686039.000001E43635D000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000E.00000003.376686039.000001E43635D000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000003.00000002.305442144.0000027FA8E3C000.00000004.00000001.sdmp, svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000003.00000002.305491995.0000027FA8E4F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000002.305447207.0000027FA8E46000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000003.00000002.305442144.0000027FA8E3C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000003.00000002.305491995.0000027FA8E4F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000003.00000002.305442144.0000027FA8E3C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000003.00000002.305499486.0000027FA8E54000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000003.00000002.305499486.0000027FA8E54000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.305028647.0000027FA8E52000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000E.00000003.368025747.000001E436820000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367996913.000001E43638A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367933787.000001E43638A000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000002.305447207.0000027FA8E46000.00000004.00000001.sdmp, svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000003.00000002.305491995.0000027FA8E4F000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.283307864.0000027FA8E30000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000003.376770289.000001E4363C3000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.376686039.000001E43635D000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000000E.00000003.367059268.000001E4363D8000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367046140.000001E4363A6000.00000004.00000001.sdmpString found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: svchost.exe, 00000003.00000002.305491995.0000027FA8E4F000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000003.00000002.305491995.0000027FA8E4F000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.305394920.0000027FA8E13000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000003.305028647.0000027FA8E52000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.305028647.0000027FA8E52000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000002.305438131.0000027FA8E3A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000003.00000002.305447207.0000027FA8E46000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000000E.00000003.368025747.000001E436820000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367996913.000001E43638A000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000000E.00000003.368025747.000001E436820000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367996913.000001E43638A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367933787.000001E43638A000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000000E.00000003.376770289.000001E4363C3000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.376686039.000001E43635D000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000E.00000003.376770289.000001E4363C3000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.376686039.000001E43635D000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
Source: svchost.exe, 0000000E.00000003.370210308.000001E43638B000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: YDArk.exe, 00000000.00000002.550799889.00007FF6A12C7000.00000002.00020000.sdmpBinary or memory string: NtUserGetRawInputData
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YDArk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\YDArk.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\YDArk.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
Source: YDArk.exeVirustotal: Detection: 30%
Source: YDArk.exeReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\YDArk.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\YDArk.exe 'C:\Users\user\Desktop\YDArk.exe'
Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
Source: C:\Users\user\Desktop\YDArk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1296:120:WilError_01
Source: classification engineClassification label: mal60.evad.winEXE@13/1@0/1
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\YDArk.exeWindow found: window name: SysTabControl32Jump to behavior
Source: YDArk.exeStatic file information: File size 10500096 > 1048576
Source: YDArk.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: YDArk.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: YDArk.exeStatic PE information: Raw size of .bin1 is bigger than: 0x100000 < 0x9f9800
Source: YDArk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: YDArk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: YDArk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: YDArk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: YDArk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: YDArk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: YDArk.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: YDArk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: G:\code\YDArk\1.0.2.2\Release\YDArk.pdb source: YDArk.exe
Source: YDArk.exeStatic PE information: section name: _RDATA
Source: YDArk.exeStatic PE information: section name: .bin0
Source: YDArk.exeStatic PE information: section name: .bin1
Source: initial sampleStatic PE information: section where entry point is pointing to: .bin1

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
Source: C:\Users\user\Desktop\YDArk.exeMemory written: PID: 6920 base: 7FFC8DE30005 value: E9 1B B9 E3 FF Jump to behavior
Source: C:\Users\user\Desktop\YDArk.exeMemory written: PID: 6920 base: 7FFC8DC6B920 value: E9 EA 46 1C 00 Jump to behavior
Source: C:\Users\user\Desktop\YDArk.exeMemory written: PID: 6920 base: 7FFC8DE40005 value: E9 0B A8 E7 FF Jump to behavior
Source: C:\Users\user\Desktop\YDArk.exeMemory written: PID: 6920 base: 7FFC8DCBA810 value: E9 FA 57 18 00 Jump to behavior
Source: C:\Users\user\Desktop\YDArk.exeMemory written: PID: 6920 base: 7FFC8D310007 value: E9 7B 93 DE FF Jump to behavior
Source: C:\Users\user\Desktop\YDArk.exeMemory written: PID: 6920 base: 7FFC8D0F9380 value: E9 8E 6C 21 00 Jump to behavior
Source: C:\Users\user\Desktop\YDArk.exeMemory written: PID: 6920 base: 7FFC8D320006 value: E9 AB 5C DB FF Jump to behavior
Source: C:\Users\user\Desktop\YDArk.exeMemory written: PID: 6920 base: 7FFC8D0D5CB0 value: E9 5C A3 24 00 Jump to behavior
Source: C:\Users\user\Desktop\YDArk.exeMemory written: PID: 6920 base: 7FFC8A410007 value: E9 AB A2 E6 FF Jump to behavior
Source: C:\Users\user\Desktop\YDArk.exeMemory written: PID: 6920 base: 7FFC8A27A2B0 value: E9 5E 5D 19 00 Jump to behavior
Source: C:\Users\user\Desktop\YDArk.exeMemory written: PID: 6920 base: 7FFC8A420006 value: E9 2B BE D8 FF Jump to behavior
Source: C:\Users\user\Desktop\YDArk.exeMemory written: PID: 6920 base: 7FFC8A1ABE30 value: E9 DC 41 27 00 Jump to behavior
Source: C:\Users\user\Desktop\YDArk.exeMemory written: PID: 6920 base: 7FFC8DE50008 value: E9 7B A9 E8 FF Jump to behavior
Source: C:\Users\user\Desktop\YDArk.exeMemory written: PID: 6920 base: 7FFC8DCDA980 value: E9 90 56 17 00 Jump to behavior
Source: C:\Users\user\Desktop\YDArk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YDArk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YDArk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\YDArk.exeRDTSC instruction interceptor: First address: 00007FF6A24BF4B0 second address: 00007FF6A24BF4DF instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop ecx 0x00000004 inc ecx 0x00000005 not bh 0x00000007 inc ecx 0x00000008 and bh, 0000006Eh 0x0000000b inc ecx 0x0000000c pop eax 0x0000000d inc ecx 0x0000000e pop ebx 0x0000000f inc ecx 0x00000010 cmp dh, ah 0x00000012 cmp ebx, 3AEC68F3h 0x00000018 pop esi 0x00000019 pop ebx 0x0000001a inc ebp 0x0000001b and dh, cl 0x0000001d pop edi 0x0000001e inc sp 0x00000020 movzx esp, bh 0x00000023 inc cx 0x00000025 btr esi, 3Bh 0x00000029 inc ecx 0x0000002a pop ebp 0x0000002b popfd 0x0000002c inc ecx 0x0000002d xchg ah, dl 0x0000002f rdtsc
Source: C:\Users\user\Desktop\YDArk.exeRDTSC instruction interceptor: First address: 00007FF6A1ADF38F second address: 00007FF6A1ADF3BE instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop ecx 0x00000004 inc ecx 0x00000005 not bh 0x00000007 inc ecx 0x00000008 and bh, 0000006Eh 0x0000000b inc ecx 0x0000000c pop eax 0x0000000d inc ecx 0x0000000e pop ebx 0x0000000f inc ecx 0x00000010 cmp dh, ah 0x00000012 cmp ebx, 3AEC68F3h 0x00000018 pop esi 0x00000019 pop ebx 0x0000001a inc ebp 0x0000001b and dh, cl 0x0000001d pop edi 0x0000001e inc sp 0x00000020 movzx esp, bh 0x00000023 inc cx 0x00000025 btr esi, 3Bh 0x00000029 inc ecx 0x0000002a pop ebp 0x0000002b popfd 0x0000002c inc ecx 0x0000002d xchg ah, dl 0x0000002f rdtsc
Source: C:\Windows\System32\svchost.exe TID: 5684Thread sleep time: -180000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\YDArk.exeProcess information queried: ProcessInformationJump to behavior
Source: YDArk.exe, 00000000.00000002.550799889.00007FF6A12C7000.00000002.00020000.sdmpBinary or memory string: !(Wvmware-N
Source: YDArk.exe, 00000000.00000002.550799889.00007FF6A12C7000.00000002.00020000.sdmpBinary or memory string: N1YWe!.dmpDLL files (*.dll)*.dllAll files (*.*)*.*\SysWow64\kernel32.dllLoadLibraryWinject the DLL into %dWhen using in vmware, please remove the callback of vm3dmp.sys process!(Wvmware-N
Source: YDArk.exe, 00000000.00000002.548049519.00000227B6B6E000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWbar32
Source: svchost.exe, 0000000E.00000002.388906131.000001E435A78000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWP
Source: YDArk.exe, 00000000.00000002.548226634.00000227B6C18000.00000004.00000020.sdmp, svchost.exe, 0000000E.00000002.388982874.000001E435AEC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 00000001.00000002.548116900.000001DD49A51000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.548083835.0000022E00429000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\YDArk.exeProcess token adjusted: DebugJump to behavior
Source: YDArk.exe, 00000000.00000002.548315741.00000227B6FB0000.00000002.00020000.sdmpBinary or memory string: Program Manager
Source: YDArk.exe, 00000000.00000002.548315741.00000227B6FB0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: YDArk.exe, 00000000.00000002.548315741.00000227B6FB0000.00000002.00020000.sdmpBinary or memory string: Progman
Source: YDArk.exe, 00000000.00000002.548315741.00000227B6FB0000.00000002.00020000.sdmpBinary or memory string: Progmanlock

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)Show sources
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
Source: svchost.exe, 00000005.00000002.548186890.000002B59CF02000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000005.00000002.548122107.000002B59CE3D000.00000004.00000001.sdmpBinary or memory string: \REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 00000005.00000002.548047623.000002B59CE13000.00000004.00000001.sdmpBinary or memory string: \MsMpeng.exe
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection2Disable or Modify Tools1Credential API Hooking1Security Software Discovery121Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion1Input Capture11Virtualization/Sandbox Evasion1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
YDArk.exe31%VirustotalBrowse
YDArk.exe9%MetadefenderBrowse
YDArk.exe22%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://47.102.143.195:9999/%o0%Avira URL Cloudsafe
http://47.102.143.195:9999/0gk0%Avira URL Cloudsafe
https://www.disneyplus.com/legal/your-california-privacy-rights1%VirustotalBrowse
https://www.disneyplus.com/legal/your-california-privacy-rights0%Avira URL Cloudsafe
http://47.102.143.195:9999/rk0%Avira URL Cloudsafe
http://crl.ver)0%Avira URL Cloudsafe
https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
http://47.102.143.195:9999/0%Avira URL Cloudsafe
https://%s.xboxlive.com0%URL Reputationsafe
https://www.disneyplus.com/legal/privacy-policy0%Avira URL Cloudsafe
https://dynamic.t0%URL Reputationsafe
https://disneyplus.com/legal.0%Avira URL Cloudsafe
http://47.102.143.195:9999/ace0%Avira URL Cloudsafe
http://help.disneyplus.com.0%Avira URL Cloudsafe
https://%s.dnet.xboxlive.com0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000003.00000002.305491995.0000027FA8E4F000.00000004.00000001.sdmpfalse
    high
    https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpfalse
      high
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000003.00000002.305491995.0000027FA8E4F000.00000004.00000001.sdmpfalse
        high
        https://corp.roblox.com/contact/svchost.exe, 0000000E.00000003.376770289.000001E4363C3000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.376686039.000001E43635D000.00000004.00000001.sdmpfalse
          high
          https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpfalse
            high
            https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 00000003.00000002.305447207.0000027FA8E46000.00000004.00000001.sdmpfalse
              high
              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpfalse
                high
                https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000003.00000002.305499486.0000027FA8E54000.00000004.00000001.sdmpfalse
                  high
                  https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpfalse
                    high
                    https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000003.00000002.305442144.0000027FA8E3C000.00000004.00000001.sdmp, svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpfalse
                      high
                      http://www.g5e.com/G5_End_User_License_Supplemental_Termssvchost.exe, 0000000E.00000003.367059268.000001E4363D8000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367046140.000001E4363A6000.00000004.00000001.sdmpfalse
                        high
                        https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000003.00000002.305499486.0000027FA8E54000.00000004.00000001.sdmpfalse
                          high
                          http://47.102.143.195:9999/%oYDArk.exe, 00000000.00000002.548049519.00000227B6B6E000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpfalse
                            high
                            https://en.help.roblox.com/hc/en-ussvchost.exe, 0000000E.00000003.376770289.000001E4363C3000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.376686039.000001E43635D000.00000004.00000001.sdmpfalse
                              high
                              http://www.bingmapsportal.comsvchost.exe, 00000003.00000002.305394920.0000027FA8E13000.00000004.00000001.sdmpfalse
                                high
                                https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000003.00000002.305442144.0000027FA8E3C000.00000004.00000001.sdmpfalse
                                  high
                                  https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000003.00000002.305491995.0000027FA8E4F000.00000004.00000001.sdmpfalse
                                    high
                                    http://47.102.143.195:9999/0gkYDArk.exe, 00000000.00000002.549506468.00000227B86B4000.00000004.00000040.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpfalse
                                      high
                                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000000E.00000003.368025747.000001E436820000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367996913.000001E43638A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367933787.000001E43638A000.00000004.00000001.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventuresvchost.exe, 0000000E.00000003.367059268.000001E4363D8000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367046140.000001E4363A6000.00000004.00000001.sdmpfalse
                                        high
                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000003.00000003.305028647.0000027FA8E52000.00000004.00000001.sdmpfalse
                                          high
                                          http://47.102.143.195:9999/rkYDArk.exe, 00000000.00000002.548049519.00000227B6B6E000.00000004.00000020.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000003.00000002.305491995.0000027FA8E4F000.00000004.00000001.sdmpfalse
                                            high
                                            https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000003.00000002.305442144.0000027FA8E3C000.00000004.00000001.sdmpfalse
                                              high
                                              https://www.roblox.com/developsvchost.exe, 0000000E.00000003.376770289.000001E4363C3000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.376686039.000001E43635D000.00000004.00000001.sdmpfalse
                                                high
                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000003.00000003.305028647.0000027FA8E52000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://crl.ver)svchost.exe, 0000000E.00000002.388982874.000001E435AEC000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  low
                                                  https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000003.00000003.305028647.0000027FA8E52000.00000004.00000001.sdmpfalse
                                                    high
                                                    https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000000E.00000003.370210308.000001E43638B000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://47.102.143.195:9999/YDArk.exe, 00000000.00000002.548049519.00000227B6B6E000.00000004.00000020.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    https://corp.roblox.com/parents/svchost.exe, 0000000E.00000003.376686039.000001E43635D000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000003.00000002.305491995.0000027FA8E4F000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.305394920.0000027FA8E13000.00000004.00000001.sdmpfalse
                                                        high
                                                        https://%s.xboxlive.comsvchost.exe, 00000001.00000002.548084769.000001DD49A29000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        low
                                                        https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000003.00000002.305447207.0000027FA8E46000.00000004.00000001.sdmpfalse
                                                          high
                                                          https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000003.00000003.283307864.0000027FA8E30000.00000004.00000001.sdmpfalse
                                                            high
                                                            https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpfalse
                                                              high
                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpfalse
                                                                high
                                                                https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000000E.00000003.368025747.000001E436820000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367996913.000001E43638A000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  https://dynamic.tsvchost.exe, 00000003.00000002.305447207.0000027FA8E46000.00000004.00000001.sdmp, svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    https://disneyplus.com/legal.svchost.exe, 0000000E.00000003.368025747.000001E436820000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367996913.000001E43638A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367933787.000001E43638A000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000003.00000002.305438131.0000027FA8E3A000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      https://www.roblox.com/info/privacysvchost.exe, 0000000E.00000003.376770289.000001E4363C3000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.376686039.000001E43635D000.00000004.00000001.sdmpfalse
                                                                        high
                                                                        http://www.g5e.com/termsofservicesvchost.exe, 0000000E.00000003.367059268.000001E4363D8000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367046140.000001E4363A6000.00000004.00000001.sdmpfalse
                                                                          high
                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpfalse
                                                                            high
                                                                            http://47.102.143.195:9999/aceYDArk.exe, 00000000.00000002.548049519.00000227B6B6E000.00000004.00000020.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            unknown
                                                                            https://activity.windows.comsvchost.exe, 00000001.00000002.548084769.000001DD49A29000.00000004.00000001.sdmpfalse
                                                                              high
                                                                              https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000003.00000003.305008455.0000027FA8E61000.00000004.00000001.sdmpfalse
                                                                                high
                                                                                http://help.disneyplus.com.svchost.exe, 0000000E.00000003.368025747.000001E436820000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367996913.000001E43638A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.367933787.000001E43638A000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                unknown
                                                                                https://%s.dnet.xboxlive.comsvchost.exe, 00000001.00000002.548084769.000001DD49A29000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                low
                                                                                https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpfalse
                                                                                  high
                                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000003.00000003.305017431.0000027FA8E5B000.00000004.00000001.sdmpfalse
                                                                                    high

                                                                                    Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    47.102.143.195
                                                                                    unknownChina
                                                                                    37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse

                                                                                    General Information

                                                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                                                    Analysis ID:498259
                                                                                    Start date:06.10.2021
                                                                                    Start time:21:32:53
                                                                                    Joe Sandbox Product:CloudBasic
                                                                                    Overall analysis duration:0h 6m 47s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Sample file name:YDArk.exe
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                    Number of analysed new started processes analysed:24
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • HDC enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Detection:MAL
                                                                                    Classification:mal60.evad.winEXE@13/1@0/1
                                                                                    EGA Information:Failed
                                                                                    HDC Information:Failed
                                                                                    HCA Information:Failed
                                                                                    Cookbook Comments:
                                                                                    • Adjust boot time
                                                                                    • Enable AMSI
                                                                                    • Found application associated with file extension: .exe
                                                                                    Warnings:
                                                                                    Show All
                                                                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 20.199.120.182, 20.82.210.154, 95.100.216.89, 95.100.218.151, 95.100.218.79, 20.82.209.104, 20.54.110.249, 8.247.248.223, 8.247.248.249, 8.247.244.249, 40.112.88.60, 20.199.120.85, 2.20.178.33, 2.20.178.24, 20.199.120.151, 20.82.209.183
                                                                                    • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, fg.download.windowsupdate.com.c.footprint.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    21:34:25API Interceptor10x Sleep call for process: svchost.exe modified
                                                                                    21:34:49API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    47.102.143.195testtotesnotrealname.exeGet hashmaliciousBrowse

                                                                                      Domains

                                                                                      No context

                                                                                      ASN

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtde7HWBo7yQMGet hashmaliciousBrowse
                                                                                      • 8.153.4.54
                                                                                      GaSBpMyVubGet hashmaliciousBrowse
                                                                                      • 39.101.202.132
                                                                                      3DAMhv0DFIGet hashmaliciousBrowse
                                                                                      • 120.79.230.117
                                                                                      yir8ieZzXLGet hashmaliciousBrowse
                                                                                      • 118.31.165.116
                                                                                      sG2Tw5dN0PGet hashmaliciousBrowse
                                                                                      • 8.161.39.76
                                                                                      cu8KB5if2TGet hashmaliciousBrowse
                                                                                      • 8.164.96.121
                                                                                      y4RMFYttsSGet hashmaliciousBrowse
                                                                                      • 8.188.166.168
                                                                                      0AQOcdTkg3Get hashmaliciousBrowse
                                                                                      • 101.135.57.250
                                                                                      OttD031TT2Get hashmaliciousBrowse
                                                                                      • 119.23.55.23
                                                                                      3FjsOtbeXqGet hashmaliciousBrowse
                                                                                      • 119.23.55.32
                                                                                      Voya6XBdBTGet hashmaliciousBrowse
                                                                                      • 47.127.8.248
                                                                                      LRLZJUXBPkGet hashmaliciousBrowse
                                                                                      • 39.106.110.84
                                                                                      7yIx6ZIBpIGet hashmaliciousBrowse
                                                                                      • 139.244.164.45
                                                                                      02uKvQqAqDGet hashmaliciousBrowse
                                                                                      • 8.141.217.202
                                                                                      4uSa8tiph0Get hashmaliciousBrowse
                                                                                      • 39.106.146.56
                                                                                      RIm7R6BFdZGet hashmaliciousBrowse
                                                                                      • 8.170.93.115
                                                                                      lbm7CagbtD.exeGet hashmaliciousBrowse
                                                                                      • 47.94.142.203
                                                                                      i0lzFm5MPf.exeGet hashmaliciousBrowse
                                                                                      • 47.94.142.203
                                                                                      WroTydSxAj.exeGet hashmaliciousBrowse
                                                                                      • 47.96.125.245
                                                                                      PiCIvzL6DBGet hashmaliciousBrowse
                                                                                      • 8.159.149.227

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                      Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                      File Type:data
                                                                                      Category:modified
                                                                                      Size (bytes):906
                                                                                      Entropy (8bit):3.1555013794670166
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:58KRBubdpkoF1AG3rlsMlXGk9+MlWlLehB4yAq7ejCEsMlXT:OaqdmuF3rlvJ+kWReH4yJ7MNvD
                                                                                      MD5:BDE834EE9C929863E4C91F71869A9B97
                                                                                      SHA1:DDA512AFA98C03F3AA3799C90C248F5D911F5763
                                                                                      SHA-256:F917167AE9335932EA153F949E4ECE24C3A12444B8E26326A9E016206F94C18D
                                                                                      SHA-512:FBA48550F3A18E25BB2A9B89969FB0F4A5FFD8F3A0A03158341BDBBF299CD2AC9F33C1817111B010413FAF5E3BFA70A2FF3D363E040A04D1F2772598E7AB3DC4
                                                                                      Malicious:false
                                                                                      Preview: ........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. O.c.t. .. 0.6. .. 2.0.2.1. .2.1.:.3.4.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. W.e.d. .. O.c.t. .. 0.6. .. 2.0.2.1. .2.1.:.3.4.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                      Entropy (8bit):7.957629250301051
                                                                                      TrID:
                                                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                      • DOS Executable Generic (2002/1) 0.92%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:YDArk.exe
                                                                                      File size:10500096
                                                                                      MD5:9254b5e792af1a459b2af8d67c4ffada
                                                                                      SHA1:b4d50db2e0dc04c3d91aa74be0f188c1da50165e
                                                                                      SHA256:40dd45c8c2557a0e8dd0c9afa521fa415653e9465b61b21241daf491477fe1b9
                                                                                      SHA512:11382b2819ed7e3e55d2aac959cb3cae443075a6cead17e8b79e33f9f0fb8f2980b50cb0c9364105a12c52f76a17b0beb38deb5ff4d7d0ab720020735f82e687
                                                                                      SSDEEP:196608:m8Aq5oDPEzmTIK70rjQd5xpwWX8u4Oml63xR3GI6ItA1wRXFxrlkC:m8hEPfLJpwWXSqCQtGO2
                                                                                      File Content Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.................................R....... .................t...................................................n.......n.......n......

                                                                                      File Icon

                                                                                      Icon Hash:b2f0ccd2d4ecf08e

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x140c73efd
                                                                                      Entrypoint Section:.bin1
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x140000000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                      Time Stamp:0x605D81FB [Fri Mar 26 06:40:59 2021 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:6
                                                                                      OS Version Minor:0
                                                                                      File Version Major:6
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:6
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:341fdcd6aa802aca844477d980a4608a

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      push 6D4812B5h
                                                                                      call 00007FA544E8B426h
                                                                                      in al, ADh
                                                                                      xor ebx, edx
                                                                                      std
                                                                                      inc eax
                                                                                      loope 00007FA54455C52Fh
                                                                                      adc al, E7h
                                                                                      adc al, 27h
                                                                                      jns 00007FA54455C4EEh
                                                                                      int3
                                                                                      xchg dword ptr [901F40F2h], ecx
                                                                                      int1
                                                                                      xchg eax, edx
                                                                                      mov bh, 56h
                                                                                      in eax, dx
                                                                                      mov dl, al
                                                                                      mov cs, word ptr [ebp-24h]
                                                                                      test byte ptr [edi-32919156h], dl
                                                                                      xchg eax, ebx
                                                                                      leave
                                                                                      lahf
                                                                                      mov eax, dword ptr [E3875D82h]
                                                                                      or eax, dword ptr [ebp-24h]
                                                                                      inc esp
                                                                                      cmp byte ptr [eax-5Ch], dh
                                                                                      lahf
                                                                                      and byte ptr [12D307B0h], dh
                                                                                      xchg eax, esi
                                                                                      push es
                                                                                      cmp al, 14h
                                                                                      int1
                                                                                      sar byte ptr [eax-04h], 0000002Ah
                                                                                      mov cl, EAh
                                                                                      inc eax
                                                                                      test eax, 92F0C9F6h
                                                                                      adc dword ptr [ecx-5505C423h], ebx
                                                                                      mov eax, dword ptr [226D14B3h]
                                                                                      test byte ptr [ecx], dh
                                                                                      mov byte ptr [ebx+edx*8], cl
                                                                                      pop es
                                                                                      outsd
                                                                                      dec edi
                                                                                      xchg dword ptr [ecx], esi
                                                                                      pop ebx
                                                                                      inc ecx
                                                                                      sbb ch, byte ptr [edx+5Eh]
                                                                                      sub al, 63h
                                                                                      pushfd
                                                                                      mov dh, 16h
                                                                                      xchg eax, esi
                                                                                      movsd
                                                                                      stosb
                                                                                      push eax
                                                                                      push ecx
                                                                                      cli
                                                                                      cmpsb
                                                                                      dec ecx
                                                                                      dec edi
                                                                                      push es
                                                                                      xor ah, byte ptr [eax-76h]
                                                                                      mov ch, 6Dh
                                                                                      sub dword ptr [ebp+52h], ebp
                                                                                      xlatb
                                                                                      add edx, ebp
                                                                                      imul esi, dword ptr [ebp-42h], 8Ah
                                                                                      dec edx
                                                                                      xchg eax, edx
                                                                                      mov esp, 01B896FFh
                                                                                      or eax, esi
                                                                                      jmp far A16Dh : 0EDB8832h
                                                                                      cmc
                                                                                      pop eax
                                                                                      fidiv word ptr [esi+eax*4-4Ch]
                                                                                      or ch, byte ptr [edx+2Fh]
                                                                                      cli
                                                                                      leave
                                                                                      popfd

                                                                                      Rich Headers

                                                                                      Programming Language:
                                                                                      • [C++] VS2013 UPD4 build 31101
                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0xca42800x9a.bin1
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xe0c1c00x244.bin1
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x16420000x9991.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x16213b00x1f260.bin1
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x16410000xb8.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x16213400x70.bin1
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0xc47e300x30.bin1
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1620db00x138.bin1
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xcb50000x220.bin1
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x2e584c0x0unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x2e70000x14a3660x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
                                                                                      .data0x4320000x4e1080x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                      .pdata0x4810000x1c1640x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
                                                                                      _RDATA0x49e0000x1800x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
                                                                                      .bin00x49f0000x7a7b810x0unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
                                                                                      .bin10xc470000x9f96100x9f9800unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x16410000xb80x200False0.3125GLS_BINARY_LSB_FIRST2.00488692241IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x16420000x99910x9a00False0.361835430195data5.16519345136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_ICON0x16428500x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4264965686, next used block 4264899893ChineseChina
                                                                                      RT_ICON0x16438f80x568GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_ICON0x1643e600x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2298478540, next used block 2163181711ChineseChina
                                                                                      RT_ICON0x16441480x1e8dataChineseChina
                                                                                      RT_ICON0x16443300x128GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_ICON0x16444580x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15001065, next used block 15395040ChineseChina
                                                                                      RT_ICON0x1644d000x6c8dataChineseChina
                                                                                      RT_ICON0x16453c80x568GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_ICON0x16459300x10a8dataChineseChina
                                                                                      RT_ICON0x16469d80x988dataChineseChina
                                                                                      RT_ICON0x16473600x468GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_ICON0x16477c80x568GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_ICON0x1647d300x128GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_ICON0x1647e580x128GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_ICON0x1647f800x128GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_ICON0x16480a80x128GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_ICON0x16481d00x2e8dataChineseChina
                                                                                      RT_ICON0x16484b80x128GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_ICON0x16485e00x128GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_ICON0x16487080x2e8dataChineseChina
                                                                                      RT_ICON0x16489f00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4294967295, next used block 4286019583ChineseChina
                                                                                      RT_ICON0x1648cd80x128GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_ICON0x1648e000x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0ChineseChina
                                                                                      RT_ICON0x16496a80x568GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_ICON0x1649c100xca8dBase IV DBT of @.DBF, block length 3072, next free block index 40, next free block 4143380214, next used block 4143380214ChineseChina
                                                                                      RT_ICON0x164a8b80x368GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_ICON0x164ac200x468GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_ICON0x164b0880x128GLS_BINARY_LSB_FIRSTChineseChina
                                                                                      RT_GROUP_ICON0x164b1b00x14dataChineseChina
                                                                                      RT_GROUP_ICON0x164b1c80x14dataChineseChina
                                                                                      RT_GROUP_ICON0x164b1e00x84dataChineseChina
                                                                                      RT_GROUP_ICON0x164b2680x14dataChineseChina
                                                                                      RT_GROUP_ICON0x164b2800x14dataChineseChina
                                                                                      RT_GROUP_ICON0x164b2980x14dataChineseChina
                                                                                      RT_GROUP_ICON0x164b2b00x14dataChineseChina
                                                                                      RT_GROUP_ICON0x164b2c80x14dataChineseChina
                                                                                      RT_GROUP_ICON0x164b2e00x22dataChineseChina
                                                                                      RT_GROUP_ICON0x164b3080x22dataChineseChina
                                                                                      RT_GROUP_ICON0x164b3300x5adataChineseChina
                                                                                      RT_GROUP_ICON0x164b3900x22dataChineseChina
                                                                                      RT_VERSION0x164b3b80x2b0dataChineseChina
                                                                                      RT_MANIFEST0x164b6680x329XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States

                                                                                      Imports

                                                                                      DLLImport
                                                                                      KERNEL32.dllGetVersionExW
                                                                                      USER32.dllMapVirtualKeyW
                                                                                      GDI32.dllSetLayout
                                                                                      MSIMG32.dllTransparentBlt
                                                                                      WINSPOOL.DRVOpenPrinterW
                                                                                      ADVAPI32.dllControlService
                                                                                      SHELL32.dllShellExecuteW
                                                                                      COMCTL32.dllImageList_ReplaceIcon
                                                                                      SHLWAPI.dllSHGetValueW
                                                                                      UxTheme.dllDrawThemeParentBackground
                                                                                      ole32.dllCoFreeUnusedLibraries
                                                                                      OLEAUT32.dllSystemTimeToVariantTime
                                                                                      oledlg.dllOleUIBusyW
                                                                                      gdiplus.dllGdipAlloc
                                                                                      ntdll.dllRtlNtStatusToDosErrorNoTeb
                                                                                      VERSION.dllVerQueryValueW
                                                                                      NETAPI32.dllNetApiBufferFree
                                                                                      dbghelp.dllSymFromAddrW
                                                                                      WS2_32.dllinet_addr
                                                                                      OLEACC.dllLresultFromObject
                                                                                      WININET.dllHttpSendRequestW
                                                                                      IMM32.dllImmReleaseContext
                                                                                      WINMM.dllPlaySoundW
                                                                                      WTSAPI32.dllWTSSendMessageW
                                                                                      KERNEL32.dllGetSystemTimeAsFileTime
                                                                                      USER32.dllGetUserObjectInformationW
                                                                                      KERNEL32.dllLocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
                                                                                      USER32.dllGetProcessWindowStation, GetUserObjectInformationW

                                                                                      Exports

                                                                                      NameOrdinalAddress
                                                                                      StealthCloseFile10x1401032e0
                                                                                      StealthGetSize20x1401031f0
                                                                                      StealthOpenFile30x140102d10
                                                                                      StealthReadFile40x140103210

                                                                                      Version Infos

                                                                                      DescriptionData
                                                                                      LegalCopyrightTODO: (C) <>
                                                                                      InternalNameYDArk.exe
                                                                                      FileVersion1.0.2.2
                                                                                      CompanyNameTODO: <>
                                                                                      ProductNameTODO: <>
                                                                                      ProductVersion1.0.2.2
                                                                                      FileDescriptionYDArk
                                                                                      OriginalFilenameYDArk.exe
                                                                                      Translation0x0804 0x04b0

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      ChineseChina
                                                                                      EnglishUnited States

                                                                                      Network Behavior

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Oct 6, 2021 21:33:51.535931110 CEST497879999192.168.2.347.102.143.195
                                                                                      Oct 6, 2021 21:33:54.546264887 CEST497879999192.168.2.347.102.143.195
                                                                                      Oct 6, 2021 21:34:00.562406063 CEST497879999192.168.2.347.102.143.195

                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Start time:21:33:44
                                                                                      Start date:06/10/2021
                                                                                      Path:C:\Users\user\Desktop\YDArk.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:'C:\Users\user\Desktop\YDArk.exe'
                                                                                      Imagebase:0x7ff6a0fe0000
                                                                                      File size:10500096 bytes
                                                                                      MD5 hash:9254B5E792AF1A459B2AF8D67C4FFADA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low

                                                                                      General

                                                                                      Start time:21:33:44
                                                                                      Start date:06/10/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:33:46
                                                                                      Start date:06/10/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:33:46
                                                                                      Start date:06/10/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:33:47
                                                                                      Start date:06/10/2021
                                                                                      Path:C:\Windows\System32\SgrmBroker.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                      Imagebase:0x7ff74c710000
                                                                                      File size:163336 bytes
                                                                                      MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:33:47
                                                                                      Start date:06/10/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:33:58
                                                                                      Start date:06/10/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:34:07
                                                                                      Start date:06/10/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:34:15
                                                                                      Start date:06/10/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Start time:21:34:23
                                                                                      Start date:06/10/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff70d6e0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Start time:21:34:48
                                                                                      Start date:06/10/2021
                                                                                      Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                                                                                      Imagebase:0x7ff68d780000
                                                                                      File size:455656 bytes
                                                                                      MD5 hash:A267555174BFA53844371226F482B86B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Start time:21:34:49
                                                                                      Start date:06/10/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7f20f0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >