Windows Analysis Report 0TOEtGJHN8

Overview

General Information

Sample Name: 0TOEtGJHN8 (renamed file extension from none to exe)
Analysis ID: 480340
MD5: 3639d17c4944743ac5c70c4e1bd30178
SHA1: 0047a882cf542b94754496c8cb985ab64561f72c
SHA256: 2cb7516c937ad8b9467ca417530651e34340d231c3696149c7d7b22e24ffaf9b
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.0TOEtGJHN8.exe.2b6052e.1.unpack Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["102.182.145.130:80", "173.173.254.105:80", "64.207.182.168:8080", "51.89.199.141:8080", "167.114.153.111:8080", "173.63.222.65:80", "218.147.193.146:80", "59.125.219.109:443", "172.104.97.173:8080", "190.162.215.233:80", "68.115.186.26:80", "78.188.106.53:443", "190.240.194.77:443", "24.133.106.23:80", "80.227.52.78:80", "79.137.83.50:443", "120.150.218.241:443", "62.171.142.179:8080", "194.4.58.192:7080", "62.30.7.67:443", "134.209.144.106:443", "24.230.141.169:80", "194.190.67.75:80", "172.91.208.86:80", "201.241.127.190:80", "185.94.252.104:443", "104.131.11.150:443", "71.15.245.148:8080", "176.111.60.55:8080", "172.86.188.251:8080", "194.187.133.160:443", "113.61.66.94:80", "91.211.88.52:7080", "202.134.4.216:8080", "154.91.33.137:443", "74.40.205.197:443", "87.106.139.101:8080", "66.76.12.94:8080", "139.59.60.244:8080", "112.185.64.233:80", "85.105.111.166:80", "74.208.45.104:8080", "94.230.70.6:80", "49.3.224.99:8080", "119.59.116.21:8080", "182.208.30.18:443", "184.180.181.202:80", "47.36.140.164:80", "186.70.56.94:443", "187.161.206.24:80", "102.182.93.220:80", "201.171.244.130:80", "190.12.119.180:443", "89.121.205.18:80", "110.145.77.103:80", "172.105.13.66:443", "108.46.29.236:80", "49.50.209.131:80", "75.143.247.51:80", "137.59.187.107:8080", "188.219.31.12:80", "61.33.119.226:443", "209.141.54.221:7080", "95.213.236.64:8080", "120.150.60.189:80", "190.164.104.62:80", "186.74.215.34:80", "139.99.158.11:443", "61.19.246.238:443", "121.7.31.214:80", "88.153.35.32:80", "5.39.91.110:7080", "123.142.37.166:80", "50.245.107.73:443", "95.9.5.93:80", "37.139.21.175:8080", "157.245.99.39:8080", "217.123.207.149:80", "72.186.136.247:443", "115.94.207.99:443", "202.141.243.254:443", "78.24.219.147:8080", "97.82.79.83:80", "217.20.166.178:7080", "203.153.216.189:7080", "220.245.198.194:80", "168.235.67.138:7080", "110.142.236.207:80", "162.241.140.129:8080", "76.175.162.101:80", "27.114.9.93:80", "24.178.90.49:80", "202.134.4.211:8080", "123.176.25.234:80", "61.76.222.210:80", "109.116.245.80:80", "139.162.60.124:8080", "190.108.228.27:443", "94.23.237.171:443", "2.58.16.89:8080", "37.179.204.33:80", "96.245.227.43:80", "216.139.123.119:80", "89.216.122.92:80", "37.187.72.193:8080", "74.214.230.200:80", "93.147.212.206:80", "103.86.49.11:8080", "174.106.122.139:80", "138.68.87.218:443", "118.83.154.64:443", "200.116.145.225:443", "94.200.114.161:80", "62.75.141.82:80", "121.124.124.40:7080", "176.113.52.6:443", "24.137.76.62:80", "41.185.28.84:8080", "50.91.114.38:80", "46.105.131.79:8080", "109.74.5.95:8080", "67.170.250.203:443"]}
Multi AV Scanner detection for submitted file
Source: 0TOEtGJHN8.exe Virustotal: Detection: 85% Perma Link
Source: 0TOEtGJHN8.exe Metadefender: Detection: 45% Perma Link
Source: 0TOEtGJHN8.exe ReversingLabs: Detection: 88%
Antivirus / Scanner detection for submitted sample
Source: 0TOEtGJHN8.exe Avira: detected
Machine Learning detection for sample
Source: 0TOEtGJHN8.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap, 4_2_02DD2290
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 4_2_02DD2650
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptDuplicateHash, 4_2_02DD1FB0

Compliance:

barindex
Uses 32bit PE files
Source: 0TOEtGJHN8.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F538F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_02F538F0
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 4_2_02DD38F0

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 102.182.145.130:80
Source: Malware configuration extractor IPs: 173.173.254.105:80
Source: Malware configuration extractor IPs: 64.207.182.168:8080
Source: Malware configuration extractor IPs: 51.89.199.141:8080
Source: Malware configuration extractor IPs: 167.114.153.111:8080
Source: Malware configuration extractor IPs: 173.63.222.65:80
Source: Malware configuration extractor IPs: 218.147.193.146:80
Source: Malware configuration extractor IPs: 59.125.219.109:443
Source: Malware configuration extractor IPs: 172.104.97.173:8080
Source: Malware configuration extractor IPs: 190.162.215.233:80
Source: Malware configuration extractor IPs: 68.115.186.26:80
Source: Malware configuration extractor IPs: 78.188.106.53:443
Source: Malware configuration extractor IPs: 190.240.194.77:443
Source: Malware configuration extractor IPs: 24.133.106.23:80
Source: Malware configuration extractor IPs: 80.227.52.78:80
Source: Malware configuration extractor IPs: 79.137.83.50:443
Source: Malware configuration extractor IPs: 120.150.218.241:443
Source: Malware configuration extractor IPs: 62.171.142.179:8080
Source: Malware configuration extractor IPs: 194.4.58.192:7080
Source: Malware configuration extractor IPs: 62.30.7.67:443
Source: Malware configuration extractor IPs: 134.209.144.106:443
Source: Malware configuration extractor IPs: 24.230.141.169:80
Source: Malware configuration extractor IPs: 194.190.67.75:80
Source: Malware configuration extractor IPs: 172.91.208.86:80
Source: Malware configuration extractor IPs: 201.241.127.190:80
Source: Malware configuration extractor IPs: 185.94.252.104:443
Source: Malware configuration extractor IPs: 104.131.11.150:443
Source: Malware configuration extractor IPs: 71.15.245.148:8080
Source: Malware configuration extractor IPs: 176.111.60.55:8080
Source: Malware configuration extractor IPs: 172.86.188.251:8080
Source: Malware configuration extractor IPs: 194.187.133.160:443
Source: Malware configuration extractor IPs: 113.61.66.94:80
Source: Malware configuration extractor IPs: 91.211.88.52:7080
Source: Malware configuration extractor IPs: 202.134.4.216:8080
Source: Malware configuration extractor IPs: 154.91.33.137:443
Source: Malware configuration extractor IPs: 74.40.205.197:443
Source: Malware configuration extractor IPs: 87.106.139.101:8080
Source: Malware configuration extractor IPs: 66.76.12.94:8080
Source: Malware configuration extractor IPs: 139.59.60.244:8080
Source: Malware configuration extractor IPs: 112.185.64.233:80
Source: Malware configuration extractor IPs: 85.105.111.166:80
Source: Malware configuration extractor IPs: 74.208.45.104:8080
Source: Malware configuration extractor IPs: 94.230.70.6:80
Source: Malware configuration extractor IPs: 49.3.224.99:8080
Source: Malware configuration extractor IPs: 119.59.116.21:8080
Source: Malware configuration extractor IPs: 182.208.30.18:443
Source: Malware configuration extractor IPs: 184.180.181.202:80
Source: Malware configuration extractor IPs: 47.36.140.164:80
Source: Malware configuration extractor IPs: 186.70.56.94:443
Source: Malware configuration extractor IPs: 187.161.206.24:80
Source: Malware configuration extractor IPs: 102.182.93.220:80
Source: Malware configuration extractor IPs: 201.171.244.130:80
Source: Malware configuration extractor IPs: 190.12.119.180:443
Source: Malware configuration extractor IPs: 89.121.205.18:80
Source: Malware configuration extractor IPs: 110.145.77.103:80
Source: Malware configuration extractor IPs: 172.105.13.66:443
Source: Malware configuration extractor IPs: 108.46.29.236:80
Source: Malware configuration extractor IPs: 49.50.209.131:80
Source: Malware configuration extractor IPs: 75.143.247.51:80
Source: Malware configuration extractor IPs: 137.59.187.107:8080
Source: Malware configuration extractor IPs: 188.219.31.12:80
Source: Malware configuration extractor IPs: 61.33.119.226:443
Source: Malware configuration extractor IPs: 209.141.54.221:7080
Source: Malware configuration extractor IPs: 95.213.236.64:8080
Source: Malware configuration extractor IPs: 120.150.60.189:80
Source: Malware configuration extractor IPs: 190.164.104.62:80
Source: Malware configuration extractor IPs: 186.74.215.34:80
Source: Malware configuration extractor IPs: 139.99.158.11:443
Source: Malware configuration extractor IPs: 61.19.246.238:443
Source: Malware configuration extractor IPs: 121.7.31.214:80
Source: Malware configuration extractor IPs: 88.153.35.32:80
Source: Malware configuration extractor IPs: 5.39.91.110:7080
Source: Malware configuration extractor IPs: 123.142.37.166:80
Source: Malware configuration extractor IPs: 50.245.107.73:443
Source: Malware configuration extractor IPs: 95.9.5.93:80
Source: Malware configuration extractor IPs: 37.139.21.175:8080
Source: Malware configuration extractor IPs: 157.245.99.39:8080
Source: Malware configuration extractor IPs: 217.123.207.149:80
Source: Malware configuration extractor IPs: 72.186.136.247:443
Source: Malware configuration extractor IPs: 115.94.207.99:443
Source: Malware configuration extractor IPs: 202.141.243.254:443
Source: Malware configuration extractor IPs: 78.24.219.147:8080
Source: Malware configuration extractor IPs: 97.82.79.83:80
Source: Malware configuration extractor IPs: 217.20.166.178:7080
Source: Malware configuration extractor IPs: 203.153.216.189:7080
Source: Malware configuration extractor IPs: 220.245.198.194:80
Source: Malware configuration extractor IPs: 168.235.67.138:7080
Source: Malware configuration extractor IPs: 110.142.236.207:80
Source: Malware configuration extractor IPs: 162.241.140.129:8080
Source: Malware configuration extractor IPs: 76.175.162.101:80
Source: Malware configuration extractor IPs: 27.114.9.93:80
Source: Malware configuration extractor IPs: 24.178.90.49:80
Source: Malware configuration extractor IPs: 202.134.4.211:8080
Source: Malware configuration extractor IPs: 123.176.25.234:80
Source: Malware configuration extractor IPs: 61.76.222.210:80
Source: Malware configuration extractor IPs: 109.116.245.80:80
Source: Malware configuration extractor IPs: 139.162.60.124:8080
Source: Malware configuration extractor IPs: 190.108.228.27:443
Source: Malware configuration extractor IPs: 94.23.237.171:443
Source: Malware configuration extractor IPs: 2.58.16.89:8080
Source: Malware configuration extractor IPs: 37.179.204.33:80
Source: Malware configuration extractor IPs: 96.245.227.43:80
Source: Malware configuration extractor IPs: 216.139.123.119:80
Source: Malware configuration extractor IPs: 89.216.122.92:80
Source: Malware configuration extractor IPs: 37.187.72.193:8080
Source: Malware configuration extractor IPs: 74.214.230.200:80
Source: Malware configuration extractor IPs: 93.147.212.206:80
Source: Malware configuration extractor IPs: 103.86.49.11:8080
Source: Malware configuration extractor IPs: 174.106.122.139:80
Source: Malware configuration extractor IPs: 138.68.87.218:443
Source: Malware configuration extractor IPs: 118.83.154.64:443
Source: Malware configuration extractor IPs: 200.116.145.225:443
Source: Malware configuration extractor IPs: 94.200.114.161:80
Source: Malware configuration extractor IPs: 62.75.141.82:80
Source: Malware configuration extractor IPs: 121.124.124.40:7080
Source: Malware configuration extractor IPs: 176.113.52.6:443
Source: Malware configuration extractor IPs: 24.137.76.62:80
Source: Malware configuration extractor IPs: 41.185.28.84:8080
Source: Malware configuration extractor IPs: 50.91.114.38:80
Source: Malware configuration extractor IPs: 46.105.131.79:8080
Source: Malware configuration extractor IPs: 109.74.5.95:8080
Source: Malware configuration extractor IPs: 67.170.250.203:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HOSTER-KZ HOSTER-KZ
Source: Joe Sandbox View ASN Name: AfrihostZA AfrihostZA
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 194.4.58.192 194.4.58.192
Source: Joe Sandbox View IP Address: 95.9.5.93 95.9.5.93
Source: Joe Sandbox View IP Address: 94.200.114.161 94.200.114.161
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49760 -> 64.207.182.168:8080
Source: global traffic TCP traffic: 192.168.2.4:49821 -> 51.89.199.141:8080
Source: global traffic TCP traffic: 192.168.2.4:49830 -> 167.114.153.111:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 34
Source: unknown TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 173.63.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 173.63.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 173.63.222.65
Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.youtube.com (Youtube)
Source: svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmp String found in binary or memory: http://102.182.145.130/GW9pD1/
Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://167.114.153.111:8080/Y8QcFjXY9mTwqEUtHZi/jo0m0vlpkUvB8EqBbI/fLIWQI1S3rZ/hVNDUF/QmsdwGh/1dNDF7
Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/
Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/4
Source: signdrv.exe, 00000004.00000002.927418525.0000000002EF6000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/B
Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/G
Source: signdrv.exe, 00000004.00000002.927418525.0000000002EF6000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/J
Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/p
Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/
Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/$
Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/t
Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/~
Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://51.89.199.141:8080/D9XLHb/nDTPEm8/mQcO7qSsE6DgkWRoP/5bBQ4sqVDIFS/KjX037lSEGPiO0wQmiO/
Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmp String found in binary or memory: http://51.89.199.141:8080/D9XLHb/nDTPEm8/mQcO7qSsE6DgkWRoP/5bBQ4sqVDIFS/KjX037lSEGPiO0wQmiO/%
Source: svchost.exe, 0000000C.00000002.786933919.000001DFA7900000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000C.00000002.786799839.000001DFA72EC000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmp String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: svchost.exe, 0000000C.00000003.767642393.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.767628847.000001DFA799C000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: 0TOEtGJHN8.exe, 00000000.00000002.666782953.0000000000FCA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 4.2.signdrv.exe.e3052e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2f50000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.e3279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6279e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6052e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.e3279e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.2dd0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.e3052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.667325990.0000000002B60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667365539.0000000002BA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.926653493.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.927258349.0000000002DD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667403377.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.927204458.0000000002D94000.00000004.00000001.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 4_2_02DD2650

System Summary:

barindex
Uses 32bit PE files
Source: 0TOEtGJHN8.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe File deleted: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe File created: C:\Windows\SysWOW64\KBDOGHAM\ Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F58240 0_2_02F58240
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F53BA0 0_2_02F53BA0
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F51C70 0_2_02F51C70
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F57740 0_2_02F57740
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F56530 0_2_02F56530
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F53F20 0_2_02F53F20
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F53D10 0_2_02F53D10
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B65ABE 0_2_02B65ABE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B692DE 0_2_02B692DE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6573E 0_2_02B6573E
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B658AE 0_2_02B658AE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B680CE 0_2_02B680CE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6380E 0_2_02B6380E
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B77069 0_2_02B77069
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B69DDE 0_2_02B69DDE
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD8240 4_2_02DD8240
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD3BA0 4_2_02DD3BA0
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD7740 4_2_02DD7740
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD1C70 4_2_02DD1C70
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD3D10 4_2_02DD3D10
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD6530 4_2_02DD6530
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD3F20 4_2_02DD3F20
Source: 0TOEtGJHN8.exe Virustotal: Detection: 85%
Source: 0TOEtGJHN8.exe Metadefender: Detection: 45%
Source: 0TOEtGJHN8.exe ReversingLabs: Detection: 88%
Source: 0TOEtGJHN8.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\0TOEtGJHN8.exe 'C:\Users\user\Desktop\0TOEtGJHN8.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Process created: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Process created: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Jump to behavior
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winEXE@9/0@0/100
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle, 0_2_02F587D0
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02F55070
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification, 4_2_02DD4CB0
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55DF0 push ecx; mov dword ptr [esp], 0000AAF5h 0_2_02F55DF1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55EF0 push ecx; mov dword ptr [esp], 0000669Ch 0_2_02F55EF1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55CD0 push ecx; mov dword ptr [esp], 00001CE1h 0_2_02F55CD1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55DC0 push ecx; mov dword ptr [esp], 000089FAh 0_2_02F55DC1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55EA0 push ecx; mov dword ptr [esp], 0000A3FDh 0_2_02F55EA1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55D90 push ecx; mov dword ptr [esp], 0000B2E0h 0_2_02F55D91
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55D50 push ecx; mov dword ptr [esp], 00006847h 0_2_02F55D51
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55D20 push ecx; mov dword ptr [esp], 0000C5A1h 0_2_02F55D21
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55F20 push ecx; mov dword ptr [esp], 0000E36Ch 0_2_02F55F21
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55E10 push ecx; mov dword ptr [esp], 0000F5B3h 0_2_02F55E11
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F55D00 push ecx; mov dword ptr [esp], 00001F9Eh 0_2_02F55D01
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B67ABE push ecx; mov dword ptr [esp], 0000E36Ch 0_2_02B67ABF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B83E9C push ebx; iretd 0_2_02B83EAF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B83E9C push FFFFFF95h; iretd 0_2_02B83EF1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B67A8E push ecx; mov dword ptr [esp], 0000669Ch 0_2_02B67A8F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B67A3E push ecx; mov dword ptr [esp], 0000A3FDh 0_2_02B67A3F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B678BE push ecx; mov dword ptr [esp], 0000C5A1h 0_2_02B678BF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6789E push ecx; mov dword ptr [esp], 00001F9Eh 0_2_02B6789F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B678EE push ecx; mov dword ptr [esp], 00006847h 0_2_02B678EF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6786E push ecx; mov dword ptr [esp], 00001CE1h 0_2_02B6786F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B679AE push ecx; mov dword ptr [esp], 0000F5B3h 0_2_02B679AF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6798E push ecx; mov dword ptr [esp], 0000AAF5h 0_2_02B6798F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B7858F push edi; iretd 0_2_02B785A1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B839D9 push ss; iretd 0_2_02B839DE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6792E push ecx; mov dword ptr [esp], 0000B2E0h 0_2_02B6792F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6795E push ecx; mov dword ptr [esp], 000089FAh 0_2_02B6795F
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD5CD0 push ecx; mov dword ptr [esp], 00001CE1h 4_2_02DD5CD1
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD5DC0 push ecx; mov dword ptr [esp], 000089FAh 4_2_02DD5DC1
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD5DF0 push ecx; mov dword ptr [esp], 0000AAF5h 4_2_02DD5DF1
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD5EF0 push ecx; mov dword ptr [esp], 0000669Ch 4_2_02DD5EF1
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD5D90 push ecx; mov dword ptr [esp], 0000B2E0h 4_2_02DD5D91
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02BA1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02BA1030

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Executable created and started: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe PE file moved: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe File opened: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5468 Thread sleep time: -180000s >= -30000s Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02F55070
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F538F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_02F538F0
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 4_2_02DD38F0
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 0000000C.00000002.786813778.000001DFA72FB000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000002.00000002.924057917.000002363A802000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.786799839.000001DFA72EC000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02BA1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02BA1030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F538F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_02F538F0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F53F20 mov eax, dword ptr fs:[00000030h] 0_2_02F53F20
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F54E20 mov eax, dword ptr fs:[00000030h] 0_2_02F54E20
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B65ABE mov eax, dword ptr fs:[00000030h] 0_2_02B65ABE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B60456 mov eax, dword ptr fs:[00000030h] 0_2_02B60456
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B669BE mov eax, dword ptr fs:[00000030h] 0_2_02B669BE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02B6095E mov eax, dword ptr fs:[00000030h] 0_2_02B6095E
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02BA1030 mov eax, dword ptr fs:[00000030h] 0_2_02BA1030
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD3F20 mov eax, dword ptr fs:[00000030h] 4_2_02DD3F20
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD4E20 mov eax, dword ptr fs:[00000030h] 4_2_02DD4E20
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02D91030 mov eax, dword ptr fs:[00000030h] 4_2_02D91030
Source: signdrv.exe, 00000004.00000002.927120135.0000000001530000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: signdrv.exe, 00000004.00000002.927120135.0000000001530000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: signdrv.exe, 00000004.00000002.927120135.0000000001530000.00000002.00020000.sdmp Binary or memory string: Progman
Source: signdrv.exe, 00000004.00000002.927120135.0000000001530000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02F57EC0 _snwprintf,GetProcessHeap,SetFileInformationByHandle,SetFileInformationByHandle,GetSystemTimeAsFileTime,CreateFileW,CreateFileW,CloseHandle, 0_2_02F57EC0
Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe Code function: 4_2_02DD5360 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 4_2_02DD5360

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 4.2.signdrv.exe.e3052e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2f50000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.e3279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6279e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6052e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.e3279e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.2dd0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.signdrv.exe.e3052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.2b6279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.667325990.0000000002B60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667365539.0000000002BA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.926653493.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.927258349.0000000002DD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667403377.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.927204458.0000000002D94000.00000004.00000001.sdmp, type: MEMORY