Analysis Report MV9tCJw8Xr

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: MV9tCJw8Xr.exe

Avira: detected

Found malware configuration

Source: 23.2.KBDHEB.exe.2b6279e.3.raw.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAK0tD7DHdiTSfIU1WweFow3PfGxe/CRZ\n7RfHk7MnaOjnNJew7LHRiqSJHrLuGCM9Hhwr6X6Fo6BovhbAzlkBAKvDbpyms/Eq\nTV9arC8ISLFmyZS1gzLyBcE4wYE3YM5tzQIDAQAB", "C2 list": ["80.158.59.174:8080", "80.158.43.136:80", "80.158.3.161:443", "80.158.51.209:8080", "80.158.35.51:80", "80.158.63.78:443", "80.158.53.167:80", "58.27.215.3:8080", "75.127.14.170:8080", "198.20.228.9:8080", "37.205.9.252:7080", "120.51.34.254:80", "41.185.29.128:8080", "172.105.78.244:8080", "175.103.38.146:80", "190.164.135.81:80", "183.91.3.63:80", "109.13.179.195:80", "77.74.78.80:443", "126.126.139.26:443", "58.94.58.13:80", "162.144.145.58:8080", "197.221.227.78:80", "180.148.4.130:8080", "203.56.191.129:8080", "103.229.73.17:8080", "113.203.238.130:80", "188.166.220.180:7080", "152.32.75.74:443", "178.254.36.182:8080", "5.2.164.75:80", "42.200.96.63:80", "202.29.237.113:8080", "190.192.39.136:80", "103.93.220.182:80", "109.99.146.210:8080", "187.193.221.143:80", "116.202.10.123:8080", "46.105.131.68:8080", "50.116.78.109:8080", "181.59.59.54:80", "185.208.226.142:8080", "188.80.27.54:80", "2.58.16.86:8080", "192.241.220.183:8080", "95.76.142.243:80", "203.153.216.178:7080", "157.7.164.178:8081", "200.243.153.66:80", "195.201.56.70:8080", "73.55.128.120:80", "190.85.46.52:7080", "213.165.178.214:80", "143.95.101.72:8080", "41.76.213.144:8080", "178.33.167.120:8080", "201.163.74.203:80", "185.142.236.163:443", "121.117.147.153:443", "190.212.140.6:80", "60.108.128.186:80", "177.130.51.198:80", "54.38.143.245:8080", "179.5.118.12:80", "109.206.139.119:80", "192.210.217.94:8080", "85.246.78.192:80", "45.239.204.100:80", "185.80.172.199:80", "91.75.75.46:80", "2.82.75.215:80", "115.79.195.246:80", "190.55.186.229:80", "8.4.9.137:8080", "91.83.93.103:443", "192.163.221.191:8080", "117.2.139.117:443", "78.90.78.210:80", "153.229.219.1:443", "110.37.224.243:80", "115.79.59.157:80", "37.46.129.215:8080", "5.79.70.250:8080", "153.204.122.254:80", "74.208.173.91:8080", "139.59.61.215:443", "119.228.75.211:80", "189.123.103.233:80", "190.194.12.132:80", "223.17.215.76:80", "73.100.19.104:80", "79.133.6.236:8080", "103.80.51.61:8080", "172.96.190.154:8080", "5.2.246.108:80"]}

Multi AV Scanner detection for dropped file

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Metadefender: Detection: 54%			Perma Link
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	ReversingLabs: Detection: 92%

Multi AV Scanner detection for submitted file

Source: MV9tCJw8Xr.exe	Virustotal: Detection: 66%			Perma Link
Source: MV9tCJw8Xr.exe	Metadefender: Detection: 56%			Perma Link
Source: MV9tCJw8Xr.exe	ReversingLabs: Detection: 77%

Machine Learning detection for dropped file

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.KBDHEB.exe.5b053f.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 1.2.MV9tCJw8Xr.exe.218053f.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen2

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_021D1D83 CryptDecodeObjectEx,		2_2_021D1D83
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00401000 GetProcessHeap,RtlAllocateHeap,CryptStringToBinaryW,CryptStringToBinaryW,		22_2_00401000

Compliance:

Uses 32bit PE files

Source: MV9tCJw8Xr.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_021E28D9 FindFirstFileW,FindNextFileW,FindClose,		1_2_021E28D9
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_021D28D9 FindFirstFileW,FindNextFileW,FindClose,		2_2_021D28D9
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A58C57 FindFirstFileExW,		22_2_00A58C57
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		22_2_00403A10
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 23_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		23_2_00403A10
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: 26_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		26_2_00403A10
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: 27_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		27_2_00403A10

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 80.158.59.174:8080
Source: Malware configuration extractor	IPs: 80.158.43.136:80
Source: Malware configuration extractor	IPs: 80.158.3.161:443
Source: Malware configuration extractor	IPs: 80.158.51.209:8080
Source: Malware configuration extractor	IPs: 80.158.35.51:80
Source: Malware configuration extractor	IPs: 80.158.63.78:443
Source: Malware configuration extractor	IPs: 80.158.53.167:80
Source: Malware configuration extractor	IPs: 58.27.215.3:8080
Source: Malware configuration extractor	IPs: 75.127.14.170:8080
Source: Malware configuration extractor	IPs: 198.20.228.9:8080
Source: Malware configuration extractor	IPs: 37.205.9.252:7080
Source: Malware configuration extractor	IPs: 120.51.34.254:80
Source: Malware configuration extractor	IPs: 41.185.29.128:8080
Source: Malware configuration extractor	IPs: 172.105.78.244:8080
Source: Malware configuration extractor	IPs: 175.103.38.146:80
Source: Malware configuration extractor	IPs: 190.164.135.81:80
Source: Malware configuration extractor	IPs: 183.91.3.63:80
Source: Malware configuration extractor	IPs: 109.13.179.195:80
Source: Malware configuration extractor	IPs: 77.74.78.80:443
Source: Malware configuration extractor	IPs: 126.126.139.26:443
Source: Malware configuration extractor	IPs: 58.94.58.13:80
Source: Malware configuration extractor	IPs: 162.144.145.58:8080
Source: Malware configuration extractor	IPs: 197.221.227.78:80
Source: Malware configuration extractor	IPs: 180.148.4.130:8080
Source: Malware configuration extractor	IPs: 203.56.191.129:8080
Source: Malware configuration extractor	IPs: 103.229.73.17:8080
Source: Malware configuration extractor	IPs: 113.203.238.130:80
Source: Malware configuration extractor	IPs: 188.166.220.180:7080
Source: Malware configuration extractor	IPs: 152.32.75.74:443
Source: Malware configuration extractor	IPs: 178.254.36.182:8080
Source: Malware configuration extractor	IPs: 5.2.164.75:80
Source: Malware configuration extractor	IPs: 42.200.96.63:80
Source: Malware configuration extractor	IPs: 202.29.237.113:8080
Source: Malware configuration extractor	IPs: 190.192.39.136:80
Source: Malware configuration extractor	IPs: 103.93.220.182:80
Source: Malware configuration extractor	IPs: 109.99.146.210:8080
Source: Malware configuration extractor	IPs: 187.193.221.143:80
Source: Malware configuration extractor	IPs: 116.202.10.123:8080
Source: Malware configuration extractor	IPs: 46.105.131.68:8080
Source: Malware configuration extractor	IPs: 50.116.78.109:8080
Source: Malware configuration extractor	IPs: 181.59.59.54:80
Source: Malware configuration extractor	IPs: 185.208.226.142:8080
Source: Malware configuration extractor	IPs: 188.80.27.54:80
Source: Malware configuration extractor	IPs: 2.58.16.86:8080
Source: Malware configuration extractor	IPs: 192.241.220.183:8080
Source: Malware configuration extractor	IPs: 95.76.142.243:80
Source: Malware configuration extractor	IPs: 203.153.216.178:7080
Source: Malware configuration extractor	IPs: 157.7.164.178:8081
Source: Malware configuration extractor	IPs: 200.243.153.66:80
Source: Malware configuration extractor	IPs: 195.201.56.70:8080
Source: Malware configuration extractor	IPs: 73.55.128.120:80
Source: Malware configuration extractor	IPs: 190.85.46.52:7080
Source: Malware configuration extractor	IPs: 213.165.178.214:80
Source: Malware configuration extractor	IPs: 143.95.101.72:8080
Source: Malware configuration extractor	IPs: 41.76.213.144:8080
Source: Malware configuration extractor	IPs: 178.33.167.120:8080
Source: Malware configuration extractor	IPs: 201.163.74.203:80
Source: Malware configuration extractor	IPs: 185.142.236.163:443
Source: Malware configuration extractor	IPs: 121.117.147.153:443
Source: Malware configuration extractor	IPs: 190.212.140.6:80
Source: Malware configuration extractor	IPs: 60.108.128.186:80
Source: Malware configuration extractor	IPs: 177.130.51.198:80
Source: Malware configuration extractor	IPs: 54.38.143.245:8080
Source: Malware configuration extractor	IPs: 179.5.118.12:80
Source: Malware configuration extractor	IPs: 109.206.139.119:80
Source: Malware configuration extractor	IPs: 192.210.217.94:8080
Source: Malware configuration extractor	IPs: 85.246.78.192:80
Source: Malware configuration extractor	IPs: 45.239.204.100:80
Source: Malware configuration extractor	IPs: 185.80.172.199:80
Source: Malware configuration extractor	IPs: 91.75.75.46:80
Source: Malware configuration extractor	IPs: 2.82.75.215:80
Source: Malware configuration extractor	IPs: 115.79.195.246:80
Source: Malware configuration extractor	IPs: 190.55.186.229:80
Source: Malware configuration extractor	IPs: 8.4.9.137:8080
Source: Malware configuration extractor	IPs: 91.83.93.103:443
Source: Malware configuration extractor	IPs: 192.163.221.191:8080
Source: Malware configuration extractor	IPs: 117.2.139.117:443
Source: Malware configuration extractor	IPs: 78.90.78.210:80
Source: Malware configuration extractor	IPs: 153.229.219.1:443
Source: Malware configuration extractor	IPs: 110.37.224.243:80
Source: Malware configuration extractor	IPs: 115.79.59.157:80
Source: Malware configuration extractor	IPs: 37.46.129.215:8080
Source: Malware configuration extractor	IPs: 5.79.70.250:8080
Source: Malware configuration extractor	IPs: 153.204.122.254:80
Source: Malware configuration extractor	IPs: 74.208.173.91:8080
Source: Malware configuration extractor	IPs: 139.59.61.215:443
Source: Malware configuration extractor	IPs: 119.228.75.211:80
Source: Malware configuration extractor	IPs: 189.123.103.233:80
Source: Malware configuration extractor	IPs: 190.194.12.132:80
Source: Malware configuration extractor	IPs: 223.17.215.76:80
Source: Malware configuration extractor	IPs: 73.100.19.104:80
Source: Malware configuration extractor	IPs: 79.133.6.236:8080
Source: Malware configuration extractor	IPs: 103.80.51.61:8080
Source: Malware configuration extractor	IPs: 172.96.190.154:8080
Source: Malware configuration extractor	IPs: 5.2.246.108:80

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 35

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.7:49734 -> 79.143.178.194:8080
Source: global traffic	TCP traffic: 192.168.2.7:49742 -> 87.106.136.232:8080
Source: global traffic	TCP traffic: 192.168.2.7:49752 -> 87.106.139.101:8080

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 143.95.101.72 143.95.101.72

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: GIGAINFRASoftbankBBCorpJP GIGAINFRASoftbankBBCorpJP
Source: Joe Sandbox View	ASN Name: CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVN CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVN
Source: Joe Sandbox View	ASN Name: OCNNTTCommunicationsCorporationJP OCNNTTCommunicationsCorporationJP

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.7:49726 -> 190.144.18.198:80

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST /bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/ HTTP/1.1Referer: http://87.106.139.101/bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/Content-Type: multipart/form-data; boundary=---------------------------270479976396707User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 87.106.139.101:8080Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

HTTP traffic detected: POST /LrBFYD0XkeH6Uxd/HqBc9ORyzrNJU/Ah5wivG5/fOm2sJDdlpsjYC5CZe/ HTTP/1.1Referer: http://87.106.139.101/LrBFYD0XkeH6Uxd/HqBc9ORyzrNJU/Ah5wivG5/fOm2sJDdlpsjYC5CZe/Content-Type: multipart/form-data; boundary=---------------------------478597482596704User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 87.106.139.101:8080Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 190.144.18.198
Source: unknown	TCP traffic detected without corresponding DNS query: 190.144.18.198
Source: unknown	TCP traffic detected without corresponding DNS query: 190.144.18.198
Source: unknown	TCP traffic detected without corresponding DNS query: 79.143.178.194
Source: unknown	TCP traffic detected without corresponding DNS query: 79.143.178.194
Source: unknown	TCP traffic detected without corresponding DNS query: 79.143.178.194
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.139.101

Contains functionality to download additional files from the internet

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe

Code function: 2_2_021D2014 InternetReadFile,

2_2_021D2014

Found strings which match to known social media urls

Source: svchost.exe, 00000014.00000003.400693153.000002847D776000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-02-23T11:59:47.8037938Z||.||8febf963-d577-41c2-8ddb-3e5fa7b0157a||1152921505693219151||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000014.00000003.400693153.000002847D776000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-02-23T11:59:47.8037938Z||.||8febf963-d577-41c2-8ddb-3e5fa7b0157a||1152921505693219151||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000014.00000002.413767165.000002847D713000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 00000014.00000002.413767165.000002847D713000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/ HTTP/1.1Referer: http://87.106.139.101/bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/Content-Type: multipart/form-data; boundary=---------------------------270479976396707User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 87.106.139.101:8080Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache

Urls found in memory or binary data

Source: KBDHEB.exe, 00000002.00000002.410251484.0000000002396000.00000004.00000001.sdmp	String found in binary or memory: http://190.144.18.198/7I6ErDP3TXIbpPVjGt/
Source: KBDHEB.exe, 00000002.00000002.410251484.0000000002396000.00000004.00000001.sdmp	String found in binary or memory: http://190.144.18.198/7I6ErDP3TXIbpPVjGt/oM
Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmp	String found in binary or memory: http://79.143.178.194:8080/OBOuz0RiXji/d5wQYa4TTiE8mhM/tWmQkXn/eT4anGr2w20EB/5Z2vttar3W/LDWHDNq9fsv2
Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmp	String found in binary or memory: http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/
Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmp	String found in binary or memory: http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/e
Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmp	String found in binary or memory: http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/l
Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmp	String found in binary or memory: http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/u
Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmp	String found in binary or memory: http://87.106.139.101:8080/LrBFYD0XkeH6Uxd/HqBc9ORyzrNJU/Ah5wivG5/fOm2sJDdlpsjYC5CZe/_o
Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmp	String found in binary or memory: http://87.106.139.101:8080/bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJj
Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmp	String found in binary or memory: http://87.10A
Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmp	String found in binary or memory: http://87.10AA
Source: svchost.exe, 00000014.00000002.413733181.000002847D5F0000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000014.00000002.413733181.000002847D5F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000014.00000002.413733181.000002847D5F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000014.00000002.413733181.000002847D5F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000009.00000002.306308761.000001BC4BC13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000014.00000003.391438598.000002847D759000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000014.00000003.391438598.000002847D759000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000014.00000003.399566749.000002847D78E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399526932.000002847D772000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000014.00000003.399566749.000002847D78E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399526932.000002847D772000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399513122.000002847D761000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000009.00000003.305925778.000001BC4BC5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.306367566.000001BC4BC3C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.305911439.000001BC4BC47000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.306367566.000001BC4BC3C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000003.305999257.000001BC4BC41000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000003.305999257.000001BC4BC41000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.305925778.000001BC4BC5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000002.306408621.000001BC4BC62000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.306367566.000001BC4BC3C000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.283903786.000001BC4BC31000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000014.00000003.399566749.000002847D78E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399526932.000002847D772000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 00000009.00000002.306367566.000001BC4BC3C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.306367566.000001BC4BC3C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.306308761.000001BC4BC13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.283903786.000001BC4BC31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.305990184.000001BC4BC56000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.283903786.000001BC4BC31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.283903786.000001BC4BC31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000003.305999257.000001BC4BC41000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen19
Source: svchost.exe, 00000014.00000003.391438598.000002847D759000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000014.00000003.391438598.000002847D759000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000014.00000003.399566749.000002847D78E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399526932.000002847D772000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000014.00000003.399566749.000002847D78E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399526932.000002847D772000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: tokenbinding2.exe, 00000016.00000002.413591268.00000000010FA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00409E4C GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		1_2_00409E4C
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00409E4C GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		2_2_00409E4C

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0000001C.00000002.442107298.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.464467088.0000000002971000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.428286473.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.439198093.00000000030A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.419691301.0000000002B60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.447921757.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.409946208.00000000020C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.468787553.00000000029E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.470554430.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.493970869.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.446724023.0000000003274000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.482749716.00000000025B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.483313060.0000000002671000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.439928850.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.468454177.0000000002980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.433437120.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.413932910.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.438746003.0000000001350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.449294722.0000000001310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.483058248.0000000002614000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.463773326.00000000028B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.243322939.00000000021E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.409716178.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.429639515.0000000002CD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.446019093.0000000001850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.414052123.0000000002F14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.477958707.00000000031B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.492699981.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.417949677.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.410029176.00000000021D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.429459440.0000000002C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.465519796.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.464108385.0000000002914000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.243267422.0000000002180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.243296865.00000000021C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.449645390.0000000002D64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.442504698.0000000002E94000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.443777034.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.478389759.0000000003214000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.420026339.0000000002BC4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.494214004.0000000002B44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.412800025.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 32.2.jscript9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.KBDHEB.exe.5b053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.msrd2x40.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.tokenbinding2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.catsrvut.exe.2ae279e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.KBDINTAM.exe.185279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.MCCSEngineShared.exe.28b279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.COLORCNV.exe.135052e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.MCCSEngineShared.exe.28b279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.msvcr100_clr0400.exe.25b279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.KBDHEB.exe.2b6279e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.KBDINTAM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.tokenbinding2.exe.2eb279e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.KBDHEB.exe.2b6052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.msrd2x40.exe.131052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.execmodelproxy.exe.2c7052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.wmvdspa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.wmvdspa.exe.31b052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MV9tCJw8Xr.exe.218053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.msvcr100_clr0400.exe.2670000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.catsrvut.exe.2ae052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.execmodelproxy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.usp10.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.jscript9.exe.298279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.wmvdspa.exe.31b279e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.execmodelproxy.exe.2c7052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.MCCSEngineShared.exe.2970000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.KBDHEB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.jscript9.exe.298052e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.msrd2x40.exe.131279e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.wmvdspa.exe.31b279e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MV9tCJw8Xr.exe.2181f3f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.KBDHEB.exe.21d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.COLORCNV.exe.135052e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.usp10.exe.2e3279e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MV9tCJw8Xr.exe.218053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.usp10.exe.2e3279e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.COLORCNV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.KBDINTAM.exe.185279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.MCCSEngineShared.exe.28b052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.KBDHEB.exe.2b6052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MV9tCJw8Xr.exe.21e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.COLORCNV.exe.135279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.msrd2x40.exe.131279e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.msvcr100_clr0400.exe.25b052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.COLORCNV.exe.135279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.wmvdspa.exe.31b052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.execmodelproxy.exe.2c7279e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.catsrvut.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.execmodelproxy.exe.2c7279e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.usp10.exe.2e3052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.KBDHEB.exe.5b1f3f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.KBDHEB.exe.2b6279e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.tokenbinding2.exe.2eb052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.msvcr100_clr0400.exe.25b052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.KBDHEB.exe.20c4000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.KBDHEB.exe.5b053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.catsrvut.exe.2ae052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.jscript9.exe.298052e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.tokenbinding2.exe.2eb052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.msvcr100_clr0400.exe.25b279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.jscript9.exe.298279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.usp10.exe.2e3052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MV9tCJw8Xr.exe.2181f3f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MV9tCJw8Xr.exe.21c4000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.KBDHEB.exe.20c4000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.catsrvut.exe.2ae279e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.MCCSEngineShared.exe.28b052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.msrd2x40.exe.131052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.tokenbinding2.exe.2eb279e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.KBDINTAM.exe.185052e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MV9tCJw8Xr.exe.21c4000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.KBDHEB.exe.5b1f3f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.KBDINTAM.exe.185052e.3.raw.unpack, type: UNPACKEDPE

System Summary:

Contains functionality to delete services

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe

Code function: 22_2_00A45800 Sleep,GetModuleFileNameW,PathFindFileNameW,PathFindExtensionW,OpenSCManagerW,OpenServiceW,DeleteService,CloseHandle,RegCreateKeyExW,RegDeleteValueW,CloseHandle,MoveFileW,ExitProcess,

22_2_00A45800

Creates files inside the system directory

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe

File created: C:\Windows\SysWOW64\DefaultPrinterProvider\

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe

File deleted: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe:Zone.Identifier

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00421064		1_2_00421064
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_0041D27C		1_2_0041D27C
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_004133A4		1_2_004133A4
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_0042045E		1_2_0042045E
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_0040B63B		1_2_0040B63B
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00413778		1_2_00413778
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_004159DC		1_2_004159DC
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_004209A0		1_2_004209A0
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00411A80		1_2_00411A80
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00419B00		1_2_00419B00
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00413B84		1_2_00413B84
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00412ED1		1_2_00412ED1
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_0041FF1C		1_2_0041FF1C
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00421FE1		1_2_00421FE1
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00418FF3		1_2_00418FF3
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00413FA4		1_2_00413FA4
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_021E2AE3		1_2_021E2AE3
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_021E2C56		1_2_021E2C56
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_02183E22		1_2_02183E22
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_02183F95		1_2_02183F95
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00421064		2_2_00421064
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_0041D27C		2_2_0041D27C
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_004133A4		2_2_004133A4
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_0042045E		2_2_0042045E
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_0040B63B		2_2_0040B63B
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00413778		2_2_00413778
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_004159DC		2_2_004159DC
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_004209A0		2_2_004209A0
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00411A80		2_2_00411A80
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00419B00		2_2_00419B00
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00413B84		2_2_00413B84
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00412ED1		2_2_00412ED1
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_0041FF1C		2_2_0041FF1C
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00421FE1		2_2_00421FE1
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00418FF3		2_2_00418FF3
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00413FA4		2_2_00413FA4
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_021D2AE3		2_2_021D2AE3
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_021D2C56		2_2_021D2C56
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A569A5		22_2_00A569A5
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A571D9		22_2_00A571D9
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A4922F		22_2_00A4922F
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A49A5B		22_2_00A49A5B
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A464B7		22_2_00A464B7
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A494D9		22_2_00A494D9
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A48EBD		22_2_00A48EBD
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A48E10		22_2_00A48E10
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A497A0		22_2_00A497A0
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00408180		22_2_00408180
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00401C70		22_2_00401C70
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00407590		22_2_00407590
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EB380E		22_2_02EB380E
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EB912E		22_2_02EB912E
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EB9D1E		22_2_02EB9D1E
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 23_2_00408180		23_2_00408180
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 23_2_00401C70		23_2_00401C70
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 23_2_00407590		23_2_00407590
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 23_2_02B6380E		23_2_02B6380E
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 23_2_02B6912E		23_2_02B6912E
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 23_2_02B69D1E		23_2_02B69D1E
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: 26_2_00408180		26_2_00408180
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: 26_2_00401C70		26_2_00401C70
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: 26_2_00407590		26_2_00407590
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: 26_2_02C7380E		26_2_02C7380E
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: 26_2_02C79D1E		26_2_02C79D1E
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: 26_2_02C7912E		26_2_02C7912E
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: 27_2_00408180		27_2_00408180
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: 27_2_00401C70		27_2_00401C70
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: 27_2_00407590		27_2_00407590
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: 27_2_0135912E		27_2_0135912E
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: 27_2_01359D1E		27_2_01359D1E
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: 27_2_0135380E		27_2_0135380E

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: String function: 00A47960 appears 50 times
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: String function: 00412022 appears 77 times
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: String function: 00414554 appears 51 times
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: String function: 00412022 appears 77 times
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: String function: 00414554 appears 51 times

PE file contains strange resources

Source: MV9tCJw8Xr.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tokenbinding2.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tokenbinding2.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tokenbinding2.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tokenbinding2.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: MV9tCJw8Xr.exe, 00000001.00000000.226109151.0000000000434000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMinnesota's county attorneys want to give the state attorney general the authority vs MV9tCJw8Xr.exe
Source: MV9tCJw8Xr.exe, 00000001.00000002.244368599.0000000002A50000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs MV9tCJw8Xr.exe
Source: MV9tCJw8Xr.exe, 00000001.00000002.244368599.0000000002A50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs MV9tCJw8Xr.exe
Source: MV9tCJw8Xr.exe, 00000001.00000002.244216934.0000000002950000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs MV9tCJw8Xr.exe
Source: MV9tCJw8Xr.exe	Binary or memory string: OriginalFilenameMinnesota's county attorneys want to give the state attorney general the authority vs MV9tCJw8Xr.exe

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Uses 32bit PE files

Source: MV9tCJw8Xr.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@42/7@0/100

Contains functionality to create services

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,		22_2_00408730
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,		23_2_00408730
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,		26_2_00408730
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,		27_2_00408730

Contains functionality to enum processes or threads

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe

Code function: 2_2_021D3657 CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,FindCloseChangeNotification,

2_2_021D3657

Contains functionality to load and extract PE file embedded resources

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe

Code function: 1_2_00403548 __EH_prolog3,LoadLibraryExA,LoadLibraryExA,LoadLibraryExA,SizeofResource,GetCurrentProcess,VirtualAllocExNuma,

1_2_00403548

Contains functionality to modify services (start/stop/modify)

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe

Code function: 23_2_00405060 QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,

23_2_00405060

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:1880:120:WilError_01

Creates temporary files

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe

File created: C:\Users\user~1\AppData\Local\Temp\UPDA7CE.tmp

Jump to behavior

Might use command line arguments

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Command line argument: LoaderLoader		22_2_00A454E0
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Command line argument: LOADERLOADER		22_2_00A454E0

PE file has an executable .text section and no other executable section

Source: MV9tCJw8Xr.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: MV9tCJw8Xr.exe	Virustotal: Detection: 66%
Source: MV9tCJw8Xr.exe	Metadefender: Detection: 56%
Source: MV9tCJw8Xr.exe	ReversingLabs: Detection: 77%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\MV9tCJw8Xr.exe 'C:\Users\user\Desktop\MV9tCJw8Xr.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe 'C:\Windows\SysWOW64\DefaultPrinterProvider\\tokenbinding2.exe' YAQAADwAAABEAGUAZgBhAHUAbAB0AFAAcgBpAG4AdABlAHIAUAByAG8AdgBpAGQAZQByAFwASwBCAEQASABFAEIAAAA=
Source: unknown	Process created: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe
Source: unknown	Process created: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe
Source: unknown	Process created: C:\Windows\SysWOW64\glu32\usp10.exe C:\Windows\SysWOW64\glu32\usp10.exe
Source: unknown	Process created: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe
Source: unknown	Process created: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe C:\Windows\SysWOW64\ndfapi\msrd2x40.exe
Source: unknown	Process created: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe
Source: unknown	Process created: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe C:\Windows\SysWOW64\Chakrathunk\jscript9.exe
Source: unknown	Process created: C:\Windows\SysWOW64\ftp\wmvdspa.exe C:\Windows\SysWOW64\ftp\wmvdspa.exe
Source: unknown	Process created: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe
Source: unknown	Process created: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe
Source: unknown	Process created: C:\Windows\SysWOW64\d3dramp\mprdim.exe C:\Windows\SysWOW64\d3dramp\mprdim.exe
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Process created: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Process created: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe 'C:\Windows\SysWOW64\DefaultPrinterProvider\\tokenbinding2.exe' YAQAADwAAABEAGUAZgBhAHUAbAB0AFAAcgBpAG4AdABlAHIAUAByAG8AdgBpAGQAZQByAFwASwBCAEQASABFAEIAAAA=			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Process created: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Process created: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe			Jump to behavior
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Process created: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe			Jump to behavior
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Process created: C:\Windows\SysWOW64\glu32\usp10.exe C:\Windows\SysWOW64\glu32\usp10.exe			Jump to behavior
Source: C:\Windows\SysWOW64\glu32\usp10.exe	Process created: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe
Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe	Process created: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe C:\Windows\SysWOW64\ndfapi\msrd2x40.exe
Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe	Process created: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe
Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe	Process created: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe C:\Windows\SysWOW64\Chakrathunk\jscript9.exe
Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe	Process created: C:\Windows\SysWOW64\ftp\wmvdspa.exe C:\Windows\SysWOW64\ftp\wmvdspa.exe
Source: C:\Windows\SysWOW64\ftp\wmvdspa.exe	Process created: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe
Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe	Process created: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe
Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe	Process created: C:\Windows\SysWOW64\d3dramp\mprdim.exe C:\Windows\SysWOW64\d3dramp\mprdim.exe

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe

Code function: 1_2_0041CCF2 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

1_2_0041CCF2

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_004120C1 push ecx; ret		1_2_004120D4
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00414599 push ecx; ret		1_2_004145AC
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_0041080D push 59FFFF3Ah; ret		1_2_0041081A
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_004120C1 push ecx; ret		2_2_004120D4
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00414599 push ecx; ret		2_2_004145AC
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_0041080D push 59FFFF3Ah; ret		2_2_0041081A
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A479A6 push ecx; ret		22_2_00A479B9
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A47245 push ecx; ret		22_2_00A47258
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00405D70 push ecx; mov dword ptr [esp], 00008067h		22_2_00405D71
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00405D00 push ecx; mov dword ptr [esp], 000021B4h		22_2_00405D01
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00405D30 push ecx; mov dword ptr [esp], 00002C7Ch		22_2_00405D31
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00405DE0 push ecx; mov dword ptr [esp], 000025AAh		22_2_00405DE1
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00405DA0 push ecx; mov dword ptr [esp], 000036B8h		22_2_00405DA1
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00405E40 push ecx; mov dword ptr [esp], 0000AEA2h		22_2_00405E41
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00405E70 push ecx; mov dword ptr [esp], 00008D73h		22_2_00405E71
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00405EA0 push ecx; mov dword ptr [esp], 00007473h		22_2_00405EA1
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00405F70 push ecx; mov dword ptr [esp], 000084ADh		22_2_00405F71
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00405F20 push ecx; mov dword ptr [esp], 0000E2ADh		22_2_00405F21
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00405FB0 push ecx; mov dword ptr [esp], 0000460Eh		22_2_00405FB1
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EB7ABE push ecx; mov dword ptr [esp], 0000E2ADh		22_2_02EB7ABF
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EB7A3E push ecx; mov dword ptr [esp], 00007473h		22_2_02EB7A3F
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EB7A0E push ecx; mov dword ptr [esp], 00008D73h		22_2_02EB7A0F
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EBFE04 push C9686868h; iretd		22_2_02EBFE09
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EB7B4E push ecx; mov dword ptr [esp], 0000460Eh		22_2_02EB7B4F
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EB7B0E push ecx; mov dword ptr [esp], 000084ADh		22_2_02EB7B0F
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EB78CE push ecx; mov dword ptr [esp], 00002C7Ch		22_2_02EB78CF
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EB789E push ecx; mov dword ptr [esp], 000021B4h		22_2_02EB789F
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EC51F0 push eax; ret		22_2_02EC51F3
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EC89CA push ecx; retf		22_2_02EC89CB
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EC8DC6 push ecx; retf		22_2_02EC8DC7
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EB79DE push ecx; mov dword ptr [esp], 0000AEA2h		22_2_02EB79DF

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe	Executable created and started: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe
Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe	Executable created and started: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Executable created and started: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe			Jump to behavior
Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe	Executable created and started: C:\Windows\SysWOW64\d3dramp\mprdim.exe
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Executable created and started: C:\Windows\SysWOW64\glu32\usp10.exe			Jump to behavior
Source: C:\Windows\SysWOW64\glu32\usp10.exe	Executable created and started: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Executable created and started: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe			Jump to behavior
Source: C:\Windows\SysWOW64\ftp\wmvdspa.exe	Executable created and started: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe
Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe	Executable created and started: C:\Windows\SysWOW64\ftp\wmvdspa.exe
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Executable created and started: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe			Jump to behavior
Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe	Executable created and started: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Executable created and started: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe			Jump to behavior
Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe	Executable created and started: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe

Drops PE files

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe

File created: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe

File created: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	File opened: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe:Zone.Identifier read attributes | delete			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	File opened: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe:Zone.Identifier read attributes | delete			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	File opened: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe:Zone.Identifier read attributes | delete			Jump to behavior
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	File opened: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe:Zone.Identifier read attributes | delete			Jump to behavior
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	File opened: C:\Windows\SysWOW64\glu32\usp10.exe:Zone.Identifier read attributes | delete			Jump to behavior
Source: C:\Windows\SysWOW64\glu32\usp10.exe	File opened: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe	File opened: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe	File opened: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe	File opened: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe	File opened: C:\Windows\SysWOW64\ftp\wmvdspa.exe:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\ftp\wmvdspa.exe	File opened: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe	File opened: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe	File opened: C:\Windows\SysWOW64\d3dramp\mprdim.exe:Zone.Identifier read attributes | delete

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00407731 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,		1_2_00407731
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00403DC5 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		1_2_00403DC5
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00407731 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,		2_2_00407731
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00403DC5 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		2_2_00403DC5

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe

Code function: 22_2_00A464B7 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

22_2_00A464B7

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\glu32\usp10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\glu32\usp10.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\ftp\wmvdspa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\ftp\wmvdspa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe

Code function: 22_2_00A41F00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle,

22_2_00A41F00

Contains functionality to enumerate running services

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,		23_2_00405060
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,		26_2_00405060
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,		27_2_00405060

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6908	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6532	Thread sleep time: -210000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe TID: 4920	Thread sleep time: -480000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe TID: 4920	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe TID: 6236	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe TID: 6236	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe TID: 5200	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe TID: 5200	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe TID: 5236	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe TID: 5236	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\glu32\usp10.exe TID: 5292	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\glu32\usp10.exe TID: 5292	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe TID: 1592	Thread sleep time: -240000s >= -30000s
Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe TID: 1592	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe TID: 6772	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe TID: 6772	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe TID: 6028	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe TID: 6028	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe TID: 4644	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe TID: 4644	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\ftp\wmvdspa.exe TID: 6988	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\ftp\wmvdspa.exe TID: 6988	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe TID: 7008	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe TID: 7008	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe TID: 4172	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe TID: 4172	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\d3dramp\mprdim.exe TID: 1288	Thread sleep time: -60000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Checks the free space of harddrives

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\glu32\usp10.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\ftp\wmvdspa.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe	File Volume queried: C:\ FullSizeInformation

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_021E28D9 FindFirstFileW,FindNextFileW,FindClose,		1_2_021E28D9
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_021D28D9 FindFirstFileW,FindNextFileW,FindClose,		2_2_021D28D9
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A58C57 FindFirstFileExW,		22_2_00A58C57
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		22_2_00403A10
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 23_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		23_2_00403A10
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: 26_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		26_2_00403A10
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: 27_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		27_2_00403A10

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: svchost.exe, 0000000C.00000002.304416598.000001EB50F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.350400562.0000022998540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.374572443.0000020319060000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.414645606.000002847DE00000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000014.00000002.413010176.000002847CE88000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWP
Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.413279016.000002847CEEA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000C.00000002.304416598.000001EB50F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.350400562.0000022998540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.374572443.0000020319060000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.414645606.000002847DE00000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 0000000C.00000002.304416598.000001EB50F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.350400562.0000022998540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.374572443.0000020319060000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.414645606.000002847DE00000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000C.00000002.304416598.000001EB50F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.350400562.0000022998540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.374572443.0000020319060000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.414645606.000002847DE00000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe

Code function: 1_2_00412013 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_00412013

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe

Code function: 22_2_00A41F00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle,

22_2_00A41F00

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe

Code function: 1_2_0041CCF2 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

1_2_0041CCF2

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_021E378C mov eax, dword ptr fs:[00000030h]		1_2_021E378C
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_021E2E8C mov eax, dword ptr fs:[00000030h]		1_2_021E2E8C
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_02184ACB mov eax, dword ptr fs:[00000030h]		1_2_02184ACB
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_021841CB mov eax, dword ptr fs:[00000030h]		1_2_021841CB
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_02180467 mov eax, dword ptr fs:[00000030h]		1_2_02180467
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_021D378C mov eax, dword ptr fs:[00000030h]		2_2_021D378C
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_021D2E8C mov eax, dword ptr fs:[00000030h]		2_2_021D2E8C
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A4EF44 mov eax, dword ptr fs:[00000030h]		22_2_00A4EF44
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00404E10 mov eax, dword ptr fs:[00000030h]		22_2_00404E10
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00403F70 mov eax, dword ptr fs:[00000030h]		22_2_00403F70
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EB5B0E mov eax, dword ptr fs:[00000030h]		22_2_02EB5B0E
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EB0456 mov eax, dword ptr fs:[00000030h]		22_2_02EB0456
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EB69AE mov eax, dword ptr fs:[00000030h]		22_2_02EB69AE
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02EB095E mov eax, dword ptr fs:[00000030h]		22_2_02EB095E
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_02F11030 mov eax, dword ptr fs:[00000030h]		22_2_02F11030
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 23_2_00403F70 mov eax, dword ptr fs:[00000030h]		23_2_00403F70
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 23_2_00404E10 mov eax, dword ptr fs:[00000030h]		23_2_00404E10
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 23_2_02B65B0E mov eax, dword ptr fs:[00000030h]		23_2_02B65B0E
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 23_2_02B60456 mov eax, dword ptr fs:[00000030h]		23_2_02B60456
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 23_2_02B669AE mov eax, dword ptr fs:[00000030h]		23_2_02B669AE
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 23_2_02B6095E mov eax, dword ptr fs:[00000030h]		23_2_02B6095E
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 23_2_02BC1030 mov eax, dword ptr fs:[00000030h]		23_2_02BC1030
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: 26_2_00403F70 mov eax, dword ptr fs:[00000030h]		26_2_00403F70
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: 26_2_00404E10 mov eax, dword ptr fs:[00000030h]		26_2_00404E10
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: 26_2_02C75B0E mov eax, dword ptr fs:[00000030h]		26_2_02C75B0E
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: 26_2_02C70456 mov eax, dword ptr fs:[00000030h]		26_2_02C70456
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: 26_2_02C769AE mov eax, dword ptr fs:[00000030h]		26_2_02C769AE
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: 26_2_02C7095E mov eax, dword ptr fs:[00000030h]		26_2_02C7095E
Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe	Code function: 26_2_02CD1030 mov eax, dword ptr fs:[00000030h]		26_2_02CD1030
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: 27_2_00403F70 mov eax, dword ptr fs:[00000030h]		27_2_00403F70
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: 27_2_00404E10 mov eax, dword ptr fs:[00000030h]		27_2_00404E10
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: 27_2_0135095E mov eax, dword ptr fs:[00000030h]		27_2_0135095E
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: 27_2_013569AE mov eax, dword ptr fs:[00000030h]		27_2_013569AE
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: 27_2_01350456 mov eax, dword ptr fs:[00000030h]		27_2_01350456
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: 27_2_01355B0E mov eax, dword ptr fs:[00000030h]		27_2_01355B0E
Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe	Code function: 27_2_030A1030 mov eax, dword ptr fs:[00000030h]		27_2_030A1030

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe

Code function: 1_2_00412749 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,

1_2_00412749

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00412013 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_00412013
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00416262 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_00416262
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00416761 SetUnhandledExceptionFilter,__encode_pointer,		1_2_00416761
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_00416783 __decode_pointer,SetUnhandledExceptionFilter,		1_2_00416783
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: 1_2_0041BCDF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_0041BCDF
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00412013 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_00412013
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00416262 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_00416262
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00416761 SetUnhandledExceptionFilter,__encode_pointer,		2_2_00416761
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_00416783 __decode_pointer,SetUnhandledExceptionFilter,		2_2_00416783
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: 2_2_0041BCDF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_0041BCDF
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A478B2 SetUnhandledExceptionFilter,		22_2_00A478B2
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A4C918 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		22_2_00A4C918
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A473A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		22_2_00A473A8
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: 22_2_00A4771F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		22_2_00A4771F

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe

Process created: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe 'C:\Windows\SysWOW64\DefaultPrinterProvider\\tokenbinding2.exe' YAQAADwAAABEAGUAZgBhAHUAbAB0AFAAcgBpAG4AdABlAHIAUAByAG8AdgBpAGQAZQByAFwASwBCAEQASABFAEIAAAA=

Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe

Code function: 1_2_0041D073 cpuid

1_2_0041D073

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,		1_2_00422582
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,		1_2_00404D59
Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Code function: GetLocaleInfoA,		1_2_0041FD23
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,		2_2_00422582
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,		2_2_00404D59
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Code function: GetLocaleInfoA,		2_2_0041FD23
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: EnumSystemLocalesW,		22_2_00A5B8B5
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: GetLocaleInfoW,		22_2_00A5B80C
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: GetLocaleInfoW,		22_2_00A5301F
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: EnumSystemLocalesW,		22_2_00A5B99B
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: EnumSystemLocalesW,		22_2_00A5B900
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		22_2_00A5BA28
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: EnumSystemLocalesW,		22_2_00A52C04
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: GetLocaleInfoW,		22_2_00A5BC78
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		22_2_00A5BDA1
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: GetLocaleInfoW,		22_2_00A5BEA8
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		22_2_00A5B63D
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		22_2_00A5BF75

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe

Code function: 1_2_004188D6 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_004188D6

Contains functionality to query time zone information

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe

Code function: 22_2_00A553D2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

22_2_00A553D2

Contains functionality to query windows version

Source: C:\Users\user\Desktop\MV9tCJw8Xr.exe

Code function: 1_2_00424371 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterWindowMessageA,

1_2_00424371

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 0000001C.00000002.442107298.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.464467088.0000000002971000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.428286473.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.439198093.00000000030A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.419691301.0000000002B60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.447921757.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.409946208.00000000020C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.468787553.00000000029E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.470554430.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.493970869.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.446724023.0000000003274000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.482749716.00000000025B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.483313060.0000000002671000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.439928850.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.468454177.0000000002980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.433437120.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.413932910.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.438746003.0000000001350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.449294722.0000000001310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.483058248.0000000002614000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.463773326.00000000028B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.243322939.00000000021E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.409716178.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.429639515.0000000002CD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.446019093.0000000001850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.414052123.0000000002F14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.477958707.00000000031B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.492699981.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.417949677.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.410029176.00000000021D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.429459440.0000000002C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.465519796.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.464108385.0000000002914000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.243267422.0000000002180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.243296865.00000000021C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.449645390.0000000002D64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.442504698.0000000002E94000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.443777034.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.478389759.0000000003214000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.420026339.0000000002BC4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.494214004.0000000002B44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.412800025.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 32.2.jscript9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.KBDHEB.exe.5b053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.msrd2x40.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.tokenbinding2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.catsrvut.exe.2ae279e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.KBDINTAM.exe.185279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.MCCSEngineShared.exe.28b279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.COLORCNV.exe.135052e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.MCCSEngineShared.exe.28b279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.msvcr100_clr0400.exe.25b279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.KBDHEB.exe.2b6279e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.KBDINTAM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.tokenbinding2.exe.2eb279e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.KBDHEB.exe.2b6052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.msrd2x40.exe.131052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.execmodelproxy.exe.2c7052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.wmvdspa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.wmvdspa.exe.31b052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MV9tCJw8Xr.exe.218053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.msvcr100_clr0400.exe.2670000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.catsrvut.exe.2ae052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.execmodelproxy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.usp10.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.jscript9.exe.298279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.wmvdspa.exe.31b279e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.execmodelproxy.exe.2c7052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.MCCSEngineShared.exe.2970000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.KBDHEB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.jscript9.exe.298052e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.msrd2x40.exe.131279e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.wmvdspa.exe.31b279e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MV9tCJw8Xr.exe.2181f3f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.KBDHEB.exe.21d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.COLORCNV.exe.135052e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.usp10.exe.2e3279e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MV9tCJw8Xr.exe.218053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.usp10.exe.2e3279e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.COLORCNV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.KBDINTAM.exe.185279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.MCCSEngineShared.exe.28b052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.KBDHEB.exe.2b6052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MV9tCJw8Xr.exe.21e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.COLORCNV.exe.135279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.msrd2x40.exe.131279e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.msvcr100_clr0400.exe.25b052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.COLORCNV.exe.135279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.wmvdspa.exe.31b052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.execmodelproxy.exe.2c7279e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.catsrvut.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.execmodelproxy.exe.2c7279e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.usp10.exe.2e3052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.KBDHEB.exe.5b1f3f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.KBDHEB.exe.2b6279e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.tokenbinding2.exe.2eb052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.msvcr100_clr0400.exe.25b052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.KBDHEB.exe.20c4000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.KBDHEB.exe.5b053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.catsrvut.exe.2ae052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.jscript9.exe.298052e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.tokenbinding2.exe.2eb052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.msvcr100_clr0400.exe.25b279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.jscript9.exe.298279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.usp10.exe.2e3052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MV9tCJw8Xr.exe.2181f3f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MV9tCJw8Xr.exe.21c4000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.KBDHEB.exe.20c4000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.catsrvut.exe.2ae279e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.MCCSEngineShared.exe.28b052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.msrd2x40.exe.131052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.tokenbinding2.exe.2eb279e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.KBDINTAM.exe.185052e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MV9tCJw8Xr.exe.21c4000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.KBDHEB.exe.5b1f3f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.KBDINTAM.exe.185052e.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe

Code function: 22_2_00A413C0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

22_2_00A413C0