Windows Analysis Report 0TOEtGJHN8

Overview

General Information

Sample Name: 0TOEtGJHN8 (renamed file extension from none to exe)
Analysis ID: 480340
MD5: 3639d17c4944743ac5c70c4e1bd30178
SHA1: 0047a882cf542b94754496c8cb985ab64561f72c
SHA256: 2cb7516c937ad8b9467ca417530651e34340d231c3696149c7d7b22e24ffaf9b
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.0TOEtGJHN8.exe.2b6052e.1.unpack Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["102.182.145.130:80", "173.173.254.105:80", "64.207.182.168:8080", "51.89.199.141:8080", "167.114.153.111:8080", "173.63.222.65:80", "218.147.193.146:80", "59.125.219.109:443", "172.104.97.173:8080", "190.162.215.233:80", "68.115.186.26:80", "78.188.106.53:443", "190.240.194.77:443", "24.133.106.23:80", "80.227.52.78:80", "79.137.83.50:443", "120.150.218.241:443", "62.171.142.179:8080", "194.4.58.192:7080", "62.30.7.67:443", "134.209.144.106:443", "24.230.141.169:80", "194.190.67.75:80", "172.91.208.86:80", "201.241.127.190:80", "185.94.252.104:443", "104.131.11.150:443", "71.15.245.148:8080", "176.111.60.55:8080", "172.86.188.251:8080", "194.187.133.160:443", "113.61.66.94:80", "91.211.88.52:7080", "202.134.4.216:8080", "154.91.33.137:443", "74.40.205.197:443", "87.106.139.101:8080", "66.76.12.94:8080", "139.59.60.244:8080", "112.185.64.233:80", "85.105.111.166:80", "74.208.45.104:8080", "94.230.70.6:80", "49.3.224.99:8080", "119.59.116.21:8080", "182.208.30.18:443", "184.180.181.202:80", "47.36.140.164:80", "186.70.56.94:443", "187.161.206.24:80", "102.182.93.220:80", "201.171.244.130:80", "190.12.119.180:443", "89.121.205.18:80", "110.145.77.103:80", "172.105.13.66:443", "108.46.29.236:80", "49.50.209.131:80", "75.143.247.51:80", "137.59.187.107:8080", "188.219.31.12:80", "61.33.119.226:443", "209.141.54.221:7080", "95.213.236.64:8080", "120.150.60.189:80", "190.164.104.62:80", "186.74.215.34:80", "139.99.158.11:443", "61.19.246.238:443", "121.7.31.214:80", "88.153.35.32:80", "5.39.91.110:7080", "123.142.37.166:80", "50.245.107.73:443", "95.9.5.93:80", "37.139.21.175:8080", "157.245.99.39:8080", "217.123.207.149:80", "72.186.136.247:443", "115.94.207.99:443", "202.141.243.254:443", "78.24.219.147:8080", "97.82.79.83:80", "217.20.166.178:7080", "203.153.216.189:7080", "220.245.198.194:80", "168.235.67.138:7080", "110.142.236.207:80", "162.241.140.129:8080", "76.175.162.101:80", "27.114.9.93:80", "24.178.90.49:80", "202.134.4.211:8080", "123.176.25.234:80", "61.76.222.210:80", "109.116.245.80:80", "139.162.60.124:8080", "190.108.228.27:443", "94.23.237.171:443", "2.58.16.89:8080", "37.179.204.33:80", "96.245.227.43:80", "216.139.123.119:80", "89.216.122.92:80", "37.187.72.193:8080", "74.214.230.200:80", "93.147.212.206:80", "103.86.49.11:8080", "174.106.122.139:80", "138.68.87.218:443", "118.83.154.64:443", "200.116.145.225:443", "94.200.114.161:80", "62.75.141.82:80", "121.124.124.40:7080", "176.113.52.6:443", "24.137.76.62:80", "41.185.28.84:8080", "50.91.114.38:80", "46.105.131.79:8080", "109.74.5.95:8080", "67.170.250.203:443"]}
Multi AV Scanner detection for submitted file
Source: 0TOEtGJHN8.exe Virustotal: Detection: 85% Perma Link
Source: 0TOEtGJHN8.exe Metadefender: Detection: 45% Perma Link
Source: 0TOEtGJHN8.exe ReversingLabs: Detection: 88%
Antivirus / Scanner detection for submitted sample
Source: 0TOEtGJHN8.exe Avira: detected
Machine Learning detection for sample
Source: 0TOEtGJHN8.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap, 4_2_02DD2290
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 4_2_02DD2650
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptDuplicateHash, 4_2_02DD1FB0

Compliance:

barindex
Uses 32bit PE files
Source: 0TOEtGJHN8.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F538F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_02F538F0
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 4_2_02DD38F0

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 102.182.145.130:80
Source: Malware configuration extractor IPs: 173.173.254.105:80
Source: Malware configuration extractor IPs: 64.207.182.168:8080
Source: Malware configuration extractor IPs: 51.89.199.141:8080
Source: Malware configuration extractor IPs: 167.114.153.111:8080
Source: Malware configuration extractor IPs: 173.63.222.65:80
Source: Malware configuration extractor IPs: 218.147.193.146:80
Source: Malware configuration extractor IPs: 59.125.219.109:443
Source: Malware configuration extractor IPs: 172.104.97.173:8080
Source: Malware configuration extractor IPs: 190.162.215.233:80
Source: Malware configuration extractor IPs: 68.115.186.26:80
Source: Malware configuration extractor IPs: 78.188.106.53:443
Source: Malware configuration extractor IPs: 190.240.194.77:443
Source: Malware configuration extractor IPs: 24.133.106.23:80
Source: Malware configuration extractor IPs: 80.227.52.78:80
Source: Malware configuration extractor IPs: 79.137.83.50:443
Source: Malware configuration extractor IPs: 120.150.218.241:443
Source: Malware configuration extractor IPs: 62.171.142.179:8080
Source: Malware configuration extractor IPs: 194.4.58.192:7080
Source: Malware configuration extractor IPs: 62.30.7.67:443
Source: Malware configuration extractor IPs: 134.209.144.106:443
Source: Malware configuration extractor IPs: 24.230.141.169:80
Source: Malware configuration extractor IPs: 194.190.67.75:80
Source: Malware configuration extractor IPs: 172.91.208.86:80
Source: Malware configuration extractor IPs: 201.241.127.190:80
Source: Malware configuration extractor IPs: 185.94.252.104:443
Source: Malware configuration extractor IPs: 104.131.11.150:443
Source: Malware configuration extractor IPs: 71.15.245.148:8080
Source: Malware configuration extractor IPs: 176.111.60.55:8080
Source: Malware configuration extractor IPs: 172.86.188.251:8080
Source: Malware configuration extractor IPs: 194.187.133.160:443
Source: Malware configuration extractor IPs: 113.61.66.94:80
Source: Malware configuration extractor IPs: 91.211.88.52:7080
Source: Malware configuration extractor IPs: 202.134.4.216:8080
Source: Malware configuration extractor IPs: 154.91.33.137:443
Source: Malware configuration extractor IPs: 74.40.205.197:443
Source: Malware configuration extractor IPs: 87.106.139.101:8080
Source: Malware configuration extractor IPs: 66.76.12.94:8080
Source: Malware configuration extractor IPs: 139.59.60.244:8080
Source: Malware configuration extractor IPs: 112.185.64.233:80
Source: Malware configuration extractor IPs: 85.105.111.166:80
Source: Malware configuration extractor IPs: 74.208.45.104:8080
Source: Malware configuration extractor IPs: 94.230.70.6:80
Source: Malware configuration extractor IPs: 49.3.224.99:8080
Source: Malware configuration extractor IPs: 119.59.116.21:8080
Source: Malware configuration extractor IPs: 182.208.30.18:443
Source: Malware configuration extractor IPs: 184.180.181.202:80
Source: Malware configuration extractor IPs: 47.36.140.164:80
Source: Malware configuration extractor IPs: 186.70.56.94:443
Source: Malware configuration extractor IPs: 187.161.206.24:80
Source: Malware configuration extractor IPs: 102.182.93.220:80
Source: Malware configuration extractor IPs: 201.171.244.130:80
Source: Malware configuration extractor IPs: 190.12.119.180:443
Source: Malware configuration extractor IPs: 89.121.205.18:80
Source: Malware configuration extractor IPs: 110.145.77.103:80
Source: Malware configuration extractor IPs: 172.105.13.66:443
Source: Malware configuration extractor IPs: 108.46.29.236:80
Source: Malware configuration extractor IPs: 49.50.209.131:80
Source: Malware configuration extractor IPs: 75.143.247.51:80
Source: Malware configuration extractor IPs: 137.59.187.107:8080
Source: Malware configuration extractor IPs: 188.219.31.12:80
Source: Malware configuration extractor IPs: 61.33.119.226:443
Source: Malware configuration extractor IPs: 209.141.54.221:7080
Source: Malware configuration extractor IPs: 95.213.236.64:8080
Source: Malware configuration extractor IPs: 120.150.60.189:80
Source: Malware configuration extractor IPs: 190.164.104.62:80
Source: Malware configuration extractor IPs: 186.74.215.34:80
Source: Malware configuration extractor IPs: 139.99.158.11:443
Source: Malware configuration extractor IPs: 61.19.246.238:443
Source: Malware configuration extractor IPs: 121.7.31.214:80
Source: Malware configuration extractor IPs: 88.153.35.32:80
Source: Malware configuration extractor IPs: 5.39.91.110:7080
Source: Malware configuration extractor IPs: 123.142.37.166:80
Source: Malware configuration extractor IPs: 50.245.107.73:443
Source: Malware configuration extractor IPs: 95.9.5.93:80
Source: Malware configuration extractor IPs: 37.139.21.175:8080
Source: Malware configuration extractor IPs: 157.245.99.39:8080
Source: Malware configuration extractor IPs: 217.123.207.149:80
Source: Malware configuration extractor IPs: 72.186.136.247:443
Source: Malware configuration extractor IPs: 115.94.207.99:443
Source: Malware configuration extractor IPs: 202.141.243.254:443
Source: Malware configuration extractor IPs: 78.24.219.147:8080
Source: Malware configuration extractor IPs: 97.82.79.83:80
Source: Malware configuration extractor IPs: 217.20.166.178:7080
Source: Malware configuration extractor IPs: 203.153.216.189:7080
Source: Malware configuration extractor IPs: 220.245.198.194:80
Source: Malware configuration extractor IPs: 168.235.67.138:7080
Source: Malware configuration extractor IPs: 110.142.236.207:80
Source: Malware configuration extractor IPs: 162.241.140.129:8080
Source: Malware configuration extractor IPs: 76.175.162.101:80
Source: Malware configuration extractor IPs: 27.114.9.93:80
Source: Malware configuration extractor IPs: 24.178.90.49:80
Source: Malware configuration extractor IPs: 202.134.4.211:8080
Source: Malware configuration extractor IPs: 123.176.25.234:80
Source: Malware configuration extractor IPs: 61.76.222.210:80
Source: Malware configuration extractor IPs: 109.116.245.80:80
Source: Malware configuration extractor IPs: 139.162.60.124:8080
Source: Malware configuration extractor IPs: 190.108.228.27:443
Source: Malware configuration extractor IPs: 94.23.237.171:443
Source: Malware configuration extractor IPs: 2.58.16.89:8080
Source: Malware configuration extractor IPs: 37.179.204.33:80
Source: Malware configuration extractor IPs: 96.245.227.43:80
Source: Malware configuration extractor IPs: 216.139.123.119:80
Source: Malware configuration extractor IPs: 89.216.122.92:80
Source: Malware configuration extractor IPs: 37.187.72.193:8080
Source: Malware configuration extractor IPs: 74.214.230.200:80
Source: Malware configuration extractor IPs: 93.147.212.206:80
Source: Malware configuration extractor IPs: 103.86.49.11:8080
Source: Malware configuration extractor IPs: 174.106.122.139:80
Source: Malware configuration extractor IPs: 138.68.87.218:443
Source: Malware configuration extractor IPs: 118.83.154.64:443
Source: Malware configuration extractor IPs: 200.116.145.225:443
Source: Malware configuration extractor IPs: 94.200.114.161:80
Source: Malware configuration extractor IPs: 62.75.141.82:80
Source: Malware configuration extractor IPs: 121.124.124.40:7080
Source: Malware configuration extractor IPs: 176.113.52.6:443
Source: Malware configuration extractor IPs: 24.137.76.62:80
Source: Malware configuration extractor IPs: 41.185.28.84:8080
Source: Malware configuration extractor IPs: 50.91.114.38:80
Source: Malware configuration extractor IPs: 46.105.131.79:8080
Source: Malware configuration extractor IPs: 109.74.5.95:8080
Source: Malware configuration extractor IPs: 67.170.250.203:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HOSTER-KZ HOSTER-KZ
Source: Joe Sandbox View ASN Name: AfrihostZA AfrihostZA
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 194.4.58.192 194.4.58.192
Source: Joe Sandbox View IP Address: 95.9.5.93 95.9.5.93
Source: Joe Sandbox View IP Address: 94.200.114.161 94.200.114.161
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49760 -> 64.207.182.168:8080
Source: global traffic TCP traffic: 192.168.2.4:49821 -> 51.89.199.141:8080
Source: global traffic TCP traffic: 192.168.2.4:49830 -> 167.114.153.111:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 34
Source: unknown TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 173.63.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 173.63.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 173.63.222.65
Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.youtube.com (Youtube)
Source: svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmp String found in binary or memory: http://102.182.145.130/GW9pD1/
Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://167.114.153.111:8080/Y8QcFjXY9mTwqEUtHZi/jo0m0vlpkUvB8EqBbI/fLIWQI1S3rZ/hVNDUF/QmsdwGh/1dNDF7
Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/
Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/4
Source: signdrv.exe, 00000004.00000002.927418525.0000000002EF6000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/B
Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/G
Source: signdrv.exe, 00000004.00000002.927418525.0000000002EF6000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/J
Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/p
Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/
Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/$
Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/t
Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/~
Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://51.89.199.141:8080/D9XLHb/nDTPEm8/mQcO7qSsE6DgkWRoP/5bBQ4sqVDIFS/KjX037lSEGPiO0wQmiO/
Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://51.89.199.141:8080/D9XLHb/nDTPEm8/mQcO7qSsE6DgkWRoP/5bBQ4sqVDIFS/KjX037lSEGPiO0wQmiO/%
Source: svchost.exe, 0000000C.00000002.786933919.000001DFA7900000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000C.00000002.786799839.000001DFA72EC000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmp String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: svchost.exe, 0000000C.00000003.767642393.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.767628847.000001DFA799C000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: 0TOEtGJHN8.exe, 00000000.00000002.666782953.0000000000FCA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 4.2.signdrv.exe.e3052e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2f50000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.e3279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6279e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6052e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.e3279e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.2dd0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.e3052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.667325990.0000000002B60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667365539.0000000002BA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.926653493.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.927258349.0000000002DD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667403377.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.927204458.0000000002D94000.00000004.00000001.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 4_2_02DD2650

System Summary:

barindex
Uses 32bit PE files
Source: 0TOEtGJHN8.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe File deleted: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe File created: C:\Windows\SysWOW64\KBDOGHAM\ Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F58240 0_2_02F58240
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F53BA0 0_2_02F53BA0
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F51C70 0_2_02F51C70
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F57740 0_2_02F57740
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F56530 0_2_02F56530
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F53F20 0_2_02F53F20
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F53D10 0_2_02F53D10
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B65ABE 0_2_02B65ABE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B692DE 0_2_02B692DE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6573E 0_2_02B6573E
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B658AE 0_2_02B658AE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B680CE 0_2_02B680CE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6380E 0_2_02B6380E
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B77069 0_2_02B77069
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B69DDE 0_2_02B69DDE
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD8240 4_2_02DD8240
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD3BA0 4_2_02DD3BA0
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD7740 4_2_02DD7740
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD1C70 4_2_02DD1C70
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD3D10 4_2_02DD3D10
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD6530 4_2_02DD6530
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD3F20 4_2_02DD3F20
Source: 0TOEtGJHN8.exe Virustotal: Detection: 85%
Source: 0TOEtGJHN8.exe Metadefender: Detection: 45%
Source: 0TOEtGJHN8.exe ReversingLabs: Detection: 88%
Source: 0TOEtGJHN8.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\0TOEtGJHN8.exe 'C:\Users\user\Desktop\0TOEtGJHN8.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Process created: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Process created: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Jump to behavior
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winEXE@9/0@0/100
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle, 0_2_02F587D0
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02F55070
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification, 4_2_02DD4CB0
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55DF0 push ecx; mov dword ptr [esp], 0000AAF5h 0_2_02F55DF1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55EF0 push ecx; mov dword ptr [esp], 0000669Ch 0_2_02F55EF1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55CD0 push ecx; mov dword ptr [esp], 00001CE1h 0_2_02F55CD1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55DC0 push ecx; mov dword ptr [esp], 000089FAh 0_2_02F55DC1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55EA0 push ecx; mov dword ptr [esp], 0000A3FDh 0_2_02F55EA1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55D90 push ecx; mov dword ptr [esp], 0000B2E0h 0_2_02F55D91
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55D50 push ecx; mov dword ptr [esp], 00006847h 0_2_02F55D51
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55D20 push ecx; mov dword ptr [esp], 0000C5A1h 0_2_02F55D21
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55F20 push ecx; mov dword ptr [esp], 0000E36Ch 0_2_02F55F21
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55E10 push ecx; mov dword ptr [esp], 0000F5B3h 0_2_02F55E11
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55D00 push ecx; mov dword ptr [esp], 00001F9Eh 0_2_02F55D01
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B67ABE push ecx; mov dword ptr [esp], 0000E36Ch 0_2_02B67ABF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B83E9C push ebx; iretd 0_2_02B83EAF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B83E9C push FFFFFF95h; iretd 0_2_02B83EF1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B67A8E push ecx; mov dword ptr [esp], 0000669Ch 0_2_02B67A8F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B67A3E push ecx; mov dword ptr [esp], 0000A3FDh 0_2_02B67A3F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B678BE push ecx; mov dword ptr [esp], 0000C5A1h 0_2_02B678BF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6789E push ecx; mov dword ptr [esp], 00001F9Eh 0_2_02B6789F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B678EE push ecx; mov dword ptr [esp], 00006847h 0_2_02B678EF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6786E push ecx; mov dword ptr [esp], 00001CE1h 0_2_02B6786F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B679AE push ecx; mov dword ptr [esp], 0000F5B3h 0_2_02B679AF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6798E push ecx; mov dword ptr [esp], 0000AAF5h 0_2_02B6798F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B7858F push edi; iretd 0_2_02B785A1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B839D9 push ss; iretd 0_2_02B839DE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6792E push ecx; mov dword ptr [esp], 0000B2E0h 0_2_02B6792F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6795E push ecx; mov dword ptr [esp], 000089FAh 0_2_02B6795F
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD5CD0 push ecx; mov dword ptr [esp], 00001CE1h 4_2_02DD5CD1
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD5DC0 push ecx; mov dword ptr [esp], 000089FAh 4_2_02DD5DC1
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD5DF0 push ecx; mov dword ptr [esp], 0000AAF5h 4_2_02DD5DF1
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD5EF0 push ecx; mov dword ptr [esp], 0000669Ch 4_2_02DD5EF1
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD5D90 push ecx; mov dword ptr [esp], 0000B2E0h 4_2_02DD5D91
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02BA1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02BA1030

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Executable created and started: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe PE file moved: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe File opened: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5468 Thread sleep time: -180000s >= -30000s Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02F55070
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F538F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_02F538F0
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 4_2_02DD38F0
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 0000000C.00000002.786813778.000001DFA72FB000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000002.00000002.924057917.000002363A802000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.786799839.000001DFA72EC000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02BA1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02BA1030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F538F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_02F538F0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F53F20 mov eax, dword ptr fs:[00000030h] 0_2_02F53F20
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F54E20 mov eax, dword ptr fs:[00000030h] 0_2_02F54E20
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B65ABE mov eax, dword ptr fs:[00000030h] 0_2_02B65ABE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B60456 mov eax, dword ptr fs:[00000030h] 0_2_02B60456
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B669BE mov eax, dword ptr fs:[00000030h] 0_2_02B669BE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6095E mov eax, dword ptr fs:[00000030h] 0_2_02B6095E
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02BA1030 mov eax, dword ptr fs:[00000030h] 0_2_02BA1030
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD3F20 mov eax, dword ptr fs:[00000030h] 4_2_02DD3F20
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD4E20 mov eax, dword ptr fs:[00000030h] 4_2_02DD4E20
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02D91030 mov eax, dword ptr fs:[00000030h] 4_2_02D91030
Source: signdrv.exe, 00000004.00000002.927120135.0000000001530000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: signdrv.exe, 00000004.00000002.927120135.0000000001530000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: signdrv.exe, 00000004.00000002.927120135.0000000001530000.00000002.00020000.sdmp Binary or memory string: Progman
Source: signdrv.exe, 00000004.00000002.927120135.0000000001530000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F57EC0 _snwprintf,GetProcessHeap,SetFileInformationByHandle,SetFileInformationByHandle,GetSystemTimeAsFileTime,CreateFileW,CreateFileW,CloseHandle, 0_2_02F57EC0
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD5360 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 4_2_02DD5360

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 4.2.signdrv.exe.e3052e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2f50000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.e3279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6279e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6052e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.e3279e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.2dd0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.e3052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.667325990.0000000002B60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667365539.0000000002BA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.926653493.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.927258349.0000000002DD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667403377.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.927204458.0000000002D94000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 480340 Sample: 0TOEtGJHN8 Startdate: 09/09/2021 Architecture: WINDOWS Score: 92 25 217.20.166.178 WNETUS Ukraine 2->25 27 190.162.215.233 VTRBANDAANCHASACL Chile 2->27 29 92 other IPs or domains 2->29 31 Found malware configuration 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 3 other signatures 2->37 7 0TOEtGJHN8.exe 2 2->7         started        10 svchost.exe 2->10         started        12 svchost.exe 1 2->12         started        14 4 other processes 2->14 signatures3 process4 signatures5 39 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 7->39 41 Drops executables to the windows directory (C:\Windows) and starts them 7->41 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->43 16 signdrv.exe 12 7->16         started        process6 dnsIp7 19 173.63.222.65, 80 UUNETUS United States 16->19 21 173.173.254.105, 80 TWC-11427-TEXASUS United States 16->21 23 4 other IPs or domains 16->23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.4.58.192
 unknown Kazakhstan
202958 HOSTER-KZ true
102.182.93.220
 unknown South Africa
37611 AfrihostZA true
95.9.5.93
 unknown Turkey
9121 TTNETTR true
94.200.114.161
 unknown United Arab Emirates
15802 DU-AS1AE true
72.186.136.247
 unknown United States
33363 BHN-33363US true
115.94.207.99
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
24.133.106.23
 unknown Turkey
47524 TURKSAT-ASTR true
89.121.205.18
 unknown Romania
9050 RTDBucharestRomaniaRO true
216.139.123.119
 unknown United States
395582 GRM-NETWORKUS true
200.116.145.225
 unknown Colombia
13489 EPMTelecomunicacionesSAESPCO true
172.105.13.66
 unknown United States
63949 LINODE-APLinodeLLCUS true
138.68.87.218
 unknown United States
14061 DIGITALOCEAN-ASNUS true
220.245.198.194
 unknown Australia
7545 TPG-INTERNET-APTPGTelecomLimitedAU true
67.170.250.203
 unknown United States
7922 COMCAST-7922US true
104.131.11.150
 unknown United States
14061 DIGITALOCEAN-ASNUS true
176.111.60.55
 unknown Ukraine
24703 UN-UKRAINE-ASKievUkraineUA true
24.178.90.49
 unknown United States
20115 CHARTER-20115US true
94.23.237.171
 unknown France
16276 OVHFR true
187.161.206.24
 unknown Mexico
11888 TelevisionInternacionalSAdeCVMX true
41.185.28.84
 unknown South Africa
36943 GridhostZA true
194.190.67.75
 unknown Russian Federation
50804 BESTLINE-NET-PROTVINORU true
186.74.215.34
 unknown Panama
11556 CableWirelessPanamaPA true
109.116.245.80
 unknown Italy
30722 VODAFONE-IT-ASNIT true
202.134.4.216
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
120.150.218.241
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
202.134.4.211
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
87.106.139.101
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
62.30.7.67
 unknown United Kingdom
5089 NTLGB true
123.142.37.166
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
51.89.199.141
 unknown France
16276 OVHFR true
75.143.247.51
 unknown United States
20115 CHARTER-20115US true
49.3.224.99
 unknown Australia
4804 MPX-ASMicroplexPTYLTDAU true
162.241.140.129
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
62.75.141.82
 unknown Germany
8972 GD-EMEA-DC-SXB1DE true
119.59.116.21
 unknown Thailand
56067 METRABYTE-TH453LadplacoutJorakhaebuaTH true
172.91.208.86
 unknown United States
20001 TWC-20001-PACWESTUS true
113.61.66.94
 unknown Australia
45510 TELCOINABOX-AULevel109HunterStreetAU true
96.245.227.43
 unknown United States
701 UUNETUS true
37.139.21.175
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true
194.187.133.160
 unknown Bulgaria
13124 IBGCBG true
121.7.31.214
 unknown Singapore
9506 SINGTEL-FIBRESingtelFibreBroadbandSG true
112.185.64.233
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
61.76.222.210
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
95.213.236.64
 unknown Russian Federation
49505 SELECTELRU true
46.105.131.79
 unknown France
16276 OVHFR true
27.114.9.93
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP true
74.214.230.200
 unknown United States
36728 EMERYTELCOMUS true
190.162.215.233
 unknown Chile
22047 VTRBANDAANCHASACL true
110.145.77.103
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
154.91.33.137
 unknown Seychelles
137443 ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK true
120.150.60.189
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
93.147.212.206
 unknown Italy
30722 VODAFONE-IT-ASNIT true
91.211.88.52
 unknown Ukraine
206638 HOSTFORYUA true
172.86.188.251
 unknown Canada
32489 AMANAHA-NEWCA true
157.245.99.39
 unknown United States
14061 DIGITALOCEAN-ASNUS true
167.114.153.111
 unknown Canada
16276 OVHFR true
37.179.204.33
 unknown Italy
30722 VODAFONE-IT-ASNIT true
203.153.216.189
 unknown Indonesia
45291 SURF-IDPTSurfindoNetworkID true
59.125.219.109
 unknown Taiwan; Republic of China (ROC)
3462 HINETDataCommunicationBusinessGroupTW true
2.58.16.89
 unknown Latvia
64421 SERTEX-ASLV true
62.171.142.179
 unknown United Kingdom
51167 CONTABODE true
123.176.25.234
 unknown Maldives
7642 DHIRAAGU-MV-APDHIVEHIRAAJJEYGEGULHUNPLCMV true
50.91.114.38
 unknown United States
33363 BHN-33363US true
61.33.119.226
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
217.123.207.149
 unknown Netherlands
33915 TNF-ASNL true
78.24.219.147
 unknown Russian Federation
29182 THEFIRST-ASRU true
173.63.222.65
 unknown United States
701 UUNETUS true
47.36.140.164
 unknown United States
20115 CHARTER-20115US true
110.142.236.207
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
139.99.158.11
 unknown Canada
16276 OVHFR true
201.171.244.130
 unknown Mexico
8151 UninetSAdeCVMX true
49.50.209.131
 unknown New Zealand
55853 MEGATEL-AS-APMegatelNZ true
190.108.228.27
 unknown Argentina
27751 NeunetSAAR true
202.141.243.254
 unknown Pakistan
9260 MULTINET-AS-APMultinetPakistanPvtLtdPK true
121.124.124.40
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
139.59.60.244
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
61.19.246.238
 unknown Thailand
9335 CAT-CLOUD-APCATTelecomPublicCompanyLimitedTH true
168.235.67.138
 unknown United States
3842 RAMNODEUS true
137.59.187.107
 unknown Hong Kong
18106 VIEWQWEST-SG-APViewqwestPteLtdSG true
78.188.106.53
 unknown Turkey
9121 TTNETTR true
71.15.245.148
 unknown United States
20115 CHARTER-20115US true
188.219.31.12
 unknown Italy
30722 VODAFONE-IT-ASNIT true
64.207.182.168
 unknown United States
398110 GO-DADDY-COM-LLCUS true
217.20.166.178
 unknown Ukraine
1820 WNETUS true
24.230.141.169
 unknown United States
11232 MIDCO-NETUS true
74.208.45.104
 unknown United States
8560 ONEANDONE-ASBrauerstrasse48DE true
134.209.144.106
 unknown United States
14061 DIGITALOCEAN-ASNUS true
186.70.56.94
 unknown Ecuador
14522 SatnetEC true
97.82.79.83
 unknown United States
20115 CHARTER-20115US true
173.173.254.105
 unknown United States
11427 TWC-11427-TEXASUS true
172.104.97.173
 unknown United States
63949 LINODE-APLinodeLLCUS true
190.12.119.180
 unknown Argentina
11014 CPSAR true
139.162.60.124
 unknown Netherlands
63949 LINODE-APLinodeLLCUS true
184.180.181.202
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
176.113.52.6
 unknown Russian Federation
8712 INTA-ASRU true
68.115.186.26
 unknown United States
20115 CHARTER-20115US true
201.241.127.190
 unknown Chile
22047 VTRBANDAANCHASACL true
24.137.76.62
 unknown Canada
11260 EASTLINK-HSICA true
102.182.145.130
 unknown South Africa
37611 AfrihostZA true
182.208.30.18
 unknown Korea Republic of
17858 POWERVIS-AS-KRLGPOWERCOMMKR true