Loading ...

Play interactive tourEdit tour

Windows Analysis Report 0TOEtGJHN8

Overview

General Information

Sample Name:0TOEtGJHN8 (renamed file extension from none to exe)
Analysis ID:480340
MD5:3639d17c4944743ac5c70c4e1bd30178
SHA1:0047a882cf542b94754496c8cb985ab64561f72c
SHA256:2cb7516c937ad8b9467ca417530651e34340d231c3696149c7d7b22e24ffaf9b
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • 0TOEtGJHN8.exe (PID: 6232 cmdline: 'C:\Users\user\Desktop\0TOEtGJHN8.exe' MD5: 3639D17C4944743AC5C70C4E1BD30178)
    • signdrv.exe (PID: 6516 cmdline: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe MD5: 3639D17C4944743AC5C70C4E1BD30178)
  • svchost.exe (PID: 2804 cmdline: c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6544 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1020 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6948 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6964 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3228 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["102.182.145.130:80", "173.173.254.105:80", "64.207.182.168:8080", "51.89.199.141:8080", "167.114.153.111:8080", "173.63.222.65:80", "218.147.193.146:80", "59.125.219.109:443", "172.104.97.173:8080", "190.162.215.233:80", "68.115.186.26:80", "78.188.106.53:443", "190.240.194.77:443", "24.133.106.23:80", "80.227.52.78:80", "79.137.83.50:443", "120.150.218.241:443", "62.171.142.179:8080", "194.4.58.192:7080", "62.30.7.67:443", "134.209.144.106:443", "24.230.141.169:80", "194.190.67.75:80", "172.91.208.86:80", "201.241.127.190:80", "185.94.252.104:443", "104.131.11.150:443", "71.15.245.148:8080", "176.111.60.55:8080", "172.86.188.251:8080", "194.187.133.160:443", "113.61.66.94:80", "91.211.88.52:7080", "202.134.4.216:8080", "154.91.33.137:443", "74.40.205.197:443", "87.106.139.101:8080", "66.76.12.94:8080", "139.59.60.244:8080", "112.185.64.233:80", "85.105.111.166:80", "74.208.45.104:8080", "94.230.70.6:80", "49.3.224.99:8080", "119.59.116.21:8080", "182.208.30.18:443", "184.180.181.202:80", "47.36.140.164:80", "186.70.56.94:443", "187.161.206.24:80", "102.182.93.220:80", "201.171.244.130:80", "190.12.119.180:443", "89.121.205.18:80", "110.145.77.103:80", "172.105.13.66:443", "108.46.29.236:80", "49.50.209.131:80", "75.143.247.51:80", "137.59.187.107:8080", "188.219.31.12:80", "61.33.119.226:443", "209.141.54.221:7080", "95.213.236.64:8080", "120.150.60.189:80", "190.164.104.62:80", "186.74.215.34:80", "139.99.158.11:443", "61.19.246.238:443", "121.7.31.214:80", "88.153.35.32:80", "5.39.91.110:7080", "123.142.37.166:80", "50.245.107.73:443", "95.9.5.93:80", "37.139.21.175:8080", "157.245.99.39:8080", "217.123.207.149:80", "72.186.136.247:443", "115.94.207.99:443", "202.141.243.254:443", "78.24.219.147:8080", "97.82.79.83:80", "217.20.166.178:7080", "203.153.216.189:7080", "220.245.198.194:80", "168.235.67.138:7080", "110.142.236.207:80", "162.241.140.129:8080", "76.175.162.101:80", "27.114.9.93:80", "24.178.90.49:80", "202.134.4.211:8080", "123.176.25.234:80", "61.76.222.210:80", "109.116.245.80:80", "139.162.60.124:8080", "190.108.228.27:443", "94.23.237.171:443", "2.58.16.89:8080", "37.179.204.33:80", "96.245.227.43:80", "216.139.123.119:80", "89.216.122.92:80", "37.187.72.193:8080", "74.214.230.200:80", "93.147.212.206:80", "103.86.49.11:8080", "174.106.122.139:80", "138.68.87.218:443", "118.83.154.64:443", "200.116.145.225:443", "94.200.114.161:80", "62.75.141.82:80", "121.124.124.40:7080", "176.113.52.6:443", "24.137.76.62:80", "41.185.28.84:8080", "50.91.114.38:80", "46.105.131.79:8080", "109.74.5.95:8080", "67.170.250.203:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.667325990.0000000002B60000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.667365539.0000000002BA4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.926653493.0000000000E30000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000004.00000002.927258349.0000000002DD1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000000.00000002.667403377.0000000002F51000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.signdrv.exe.e3052e.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              0.2.0TOEtGJHN8.exe.2f50000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                4.2.signdrv.exe.e3279e.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  0.2.0TOEtGJHN8.exe.2b6279e.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    0.2.0TOEtGJHN8.exe.2b6052e.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.0TOEtGJHN8.exe.2b6052e.1.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["102.182.145.130:80", "173.173.254.105:80", "64.207.182.168:8080", "51.89.199.141:8080", "167.114.153.111:8080", "173.63.222.65:80", "218.147.193.146:80", "59.125.219.109:443", "172.104.97.173:8080", "190.162.215.233:80", "68.115.186.26:80", "78.188.106.53:443", "190.240.194.77:443", "24.133.106.23:80", "80.227.52.78:80", "79.137.83.50:443", "120.150.218.241:443", "62.171.142.179:8080", "194.4.58.192:7080", "62.30.7.67:443", "134.209.144.106:443", "24.230.141.169:80", "194.190.67.75:80", "172.91.208.86:80", "201.241.127.190:80", "185.94.252.104:443", "104.131.11.150:443", "71.15.245.148:8080", "176.111.60.55:8080", "172.86.188.251:8080", "194.187.133.160:443", "113.61.66.94:80", "91.211.88.52:7080", "202.134.4.216:8080", "154.91.33.137:443", "74.40.205.197:443", "87.106.139.101:8080", "66.76.12.94:8080", "139.59.60.244:8080", "112.185.64.233:80", "85.105.111.166:80", "74.208.45.104:8080", "94.230.70.6:80", "49.3.224.99:8080", "119.59.116.21:8080", "182.208.30.18:443", "184.180.181.202:80", "47.36.140.164:80", "186.70.56.94:443", "187.161.206.24:80", "102.182.93.220:80", "201.171.244.130:80", "190.12.119.180:443", "89.121.205.18:80", "110.145.77.103:80", "172.105.13.66:443", "108.46.29.236:80", "49.50.209.131:80", "75.143.247.51:80", "137.59.187.107:8080", "188.219.31.12:80", "61.33.119.226:443", "209.141.54.221:7080", "95.213.236.64:8080", "120.150.60.189:80", "190.164.104.62:80", "186.74.215.34:80", "139.99.158.11:443", "61.19.246.238:443", "121.7.31.214:80", "88.153.35.32:80", "5.39.91.110:7080", "123.142.37.166:80", "50.245.107.73:443", "95.9.5.93:80", "37.139.21.175:8080", "157.245.99.39:8080", "217.123.207.149:80", "72.186.136.247:443", "115.94.207.99:443", "202.141.243.254:443", "78.24.219.147:8080", "97.82.79.83:80", "217.20.166.178:7080", "203.153.216.189:7080", "220.245.198.194:80", "168.235.67.138:7080", "110.142.236.207:80", "162.241.140.129:8080", "76.175.162.101:80", "27.114.9.93:80", "24.178.90.49:80", "202.134.4.211:8080", "123.176.25.234:80", "61.76.222.210:80", "109.116.245.80:80", "139.162.60.124:8080", "190.108.228.27:443", "94.23.237.171:443", "2.58.16.89:8080", "37.179.204.33:80", "96.245.227.43:80", "216.139.123.119:80", "89.216.122.92:80", "37.187.72.193:8080", "74.214.230.200:80", "93.147.212.206:80", "103.86.49.11:8080", "174.106.122.139:80", "138.68.87.218:443", "118.83.154.64:443", "200.116.145.225:443", "94.200.114.161:80", "62.75.141.82:80", "121.124.124.40:7080", "176.113.52.6:443", "24.137.76.62:80", "41.185.28.84:8080", "50.91.114.38:80", "46.105.131.79:8080", "109.74.5.95:8080", "67.170.250.203:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 0TOEtGJHN8.exeVirustotal: Detection: 85%Perma Link
                      Source: 0TOEtGJHN8.exeMetadefender: Detection: 45%Perma Link
                      Source: 0TOEtGJHN8.exeReversingLabs: Detection: 88%
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: 0TOEtGJHN8.exeAvira: detected
                      Machine Learning detection for sampleShow sources
                      Source: 0TOEtGJHN8.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,4_2_02DD2290
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,4_2_02DD2650
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptDuplicateHash,4_2_02DD1FB0
                      Source: 0TOEtGJHN8.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F538F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,0_2_02F538F0
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,4_2_02DD38F0

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 102.182.145.130:80
                      Source: Malware configuration extractorIPs: 173.173.254.105:80
                      Source: Malware configuration extractorIPs: 64.207.182.168:8080
                      Source: Malware configuration extractorIPs: 51.89.199.141:8080
                      Source: Malware configuration extractorIPs: 167.114.153.111:8080
                      Source: Malware configuration extractorIPs: 173.63.222.65:80
                      Source: Malware configuration extractorIPs: 218.147.193.146:80
                      Source: Malware configuration extractorIPs: 59.125.219.109:443
                      Source: Malware configuration extractorIPs: 172.104.97.173:8080
                      Source: Malware configuration extractorIPs: 190.162.215.233:80
                      Source: Malware configuration extractorIPs: 68.115.186.26:80
                      Source: Malware configuration extractorIPs: 78.188.106.53:443
                      Source: Malware configuration extractorIPs: 190.240.194.77:443
                      Source: Malware configuration extractorIPs: 24.133.106.23:80
                      Source: Malware configuration extractorIPs: 80.227.52.78:80
                      Source: Malware configuration extractorIPs: 79.137.83.50:443
                      Source: Malware configuration extractorIPs: 120.150.218.241:443
                      Source: Malware configuration extractorIPs: 62.171.142.179:8080
                      Source: Malware configuration extractorIPs: 194.4.58.192:7080
                      Source: Malware configuration extractorIPs: 62.30.7.67:443
                      Source: Malware configuration extractorIPs: 134.209.144.106:443
                      Source: Malware configuration extractorIPs: 24.230.141.169:80
                      Source: Malware configuration extractorIPs: 194.190.67.75:80
                      Source: Malware configuration extractorIPs: 172.91.208.86:80
                      Source: Malware configuration extractorIPs: 201.241.127.190:80
                      Source: Malware configuration extractorIPs: 185.94.252.104:443
                      Source: Malware configuration extractorIPs: 104.131.11.150:443
                      Source: Malware configuration extractorIPs: 71.15.245.148:8080
                      Source: Malware configuration extractorIPs: 176.111.60.55:8080
                      Source: Malware configuration extractorIPs: 172.86.188.251:8080
                      Source: Malware configuration extractorIPs: 194.187.133.160:443
                      Source: Malware configuration extractorIPs: 113.61.66.94:80
                      Source: Malware configuration extractorIPs: 91.211.88.52:7080
                      Source: Malware configuration extractorIPs: 202.134.4.216:8080
                      Source: Malware configuration extractorIPs: 154.91.33.137:443
                      Source: Malware configuration extractorIPs: 74.40.205.197:443
                      Source: Malware configuration extractorIPs: 87.106.139.101:8080
                      Source: Malware configuration extractorIPs: 66.76.12.94:8080
                      Source: Malware configuration extractorIPs: 139.59.60.244:8080
                      Source: Malware configuration extractorIPs: 112.185.64.233:80
                      Source: Malware configuration extractorIPs: 85.105.111.166:80
                      Source: Malware configuration extractorIPs: 74.208.45.104:8080
                      Source: Malware configuration extractorIPs: 94.230.70.6:80
                      Source: Malware configuration extractorIPs: 49.3.224.99:8080
                      Source: Malware configuration extractorIPs: 119.59.116.21:8080
                      Source: Malware configuration extractorIPs: 182.208.30.18:443
                      Source: Malware configuration extractorIPs: 184.180.181.202:80
                      Source: Malware configuration extractorIPs: 47.36.140.164:80
                      Source: Malware configuration extractorIPs: 186.70.56.94:443
                      Source: Malware configuration extractorIPs: 187.161.206.24:80
                      Source: Malware configuration extractorIPs: 102.182.93.220:80
                      Source: Malware configuration extractorIPs: 201.171.244.130:80
                      Source: Malware configuration extractorIPs: 190.12.119.180:443
                      Source: Malware configuration extractorIPs: 89.121.205.18:80
                      Source: Malware configuration extractorIPs: 110.145.77.103:80
                      Source: Malware configuration extractorIPs: 172.105.13.66:443
                      Source: Malware configuration extractorIPs: 108.46.29.236:80
                      Source: Malware configuration extractorIPs: 49.50.209.131:80
                      Source: Malware configuration extractorIPs: 75.143.247.51:80
                      Source: Malware configuration extractorIPs: 137.59.187.107:8080
                      Source: Malware configuration extractorIPs: 188.219.31.12:80
                      Source: Malware configuration extractorIPs: 61.33.119.226:443
                      Source: Malware configuration extractorIPs: 209.141.54.221:7080
                      Source: Malware configuration extractorIPs: 95.213.236.64:8080
                      Source: Malware configuration extractorIPs: 120.150.60.189:80
                      Source: Malware configuration extractorIPs: 190.164.104.62:80
                      Source: Malware configuration extractorIPs: 186.74.215.34:80
                      Source: Malware configuration extractorIPs: 139.99.158.11:443
                      Source: Malware configuration extractorIPs: 61.19.246.238:443
                      Source: Malware configuration extractorIPs: 121.7.31.214:80
                      Source: Malware configuration extractorIPs: 88.153.35.32:80
                      Source: Malware configuration extractorIPs: 5.39.91.110:7080
                      Source: Malware configuration extractorIPs: 123.142.37.166:80
                      Source: Malware configuration extractorIPs: 50.245.107.73:443
                      Source: Malware configuration extractorIPs: 95.9.5.93:80
                      Source: Malware configuration extractorIPs: 37.139.21.175:8080
                      Source: Malware configuration extractorIPs: 157.245.99.39:8080
                      Source: Malware configuration extractorIPs: 217.123.207.149:80
                      Source: Malware configuration extractorIPs: 72.186.136.247:443
                      Source: Malware configuration extractorIPs: 115.94.207.99:443
                      Source: Malware configuration extractorIPs: 202.141.243.254:443
                      Source: Malware configuration extractorIPs: 78.24.219.147:8080
                      Source: Malware configuration extractorIPs: 97.82.79.83:80
                      Source: Malware configuration extractorIPs: 217.20.166.178:7080
                      Source: Malware configuration extractorIPs: 203.153.216.189:7080
                      Source: Malware configuration extractorIPs: 220.245.198.194:80
                      Source: Malware configuration extractorIPs: 168.235.67.138:7080
                      Source: Malware configuration extractorIPs: 110.142.236.207:80
                      Source: Malware configuration extractorIPs: 162.241.140.129:8080
                      Source: Malware configuration extractorIPs: 76.175.162.101:80
                      Source: Malware configuration extractorIPs: 27.114.9.93:80
                      Source: Malware configuration extractorIPs: 24.178.90.49:80
                      Source: Malware configuration extractorIPs: 202.134.4.211:8080
                      Source: Malware configuration extractorIPs: 123.176.25.234:80
                      Source: Malware configuration extractorIPs: 61.76.222.210:80
                      Source: Malware configuration extractorIPs: 109.116.245.80:80
                      Source: Malware configuration extractorIPs: 139.162.60.124:8080
                      Source: Malware configuration extractorIPs: 190.108.228.27:443
                      Source: Malware configuration extractorIPs: 94.23.237.171:443
                      Source: Malware configuration extractorIPs: 2.58.16.89:8080
                      Source: Malware configuration extractorIPs: 37.179.204.33:80
                      Source: Malware configuration extractorIPs: 96.245.227.43:80
                      Source: Malware configuration extractorIPs: 216.139.123.119:80
                      Source: Malware configuration extractorIPs: 89.216.122.92:80
                      Source: Malware configuration extractorIPs: 37.187.72.193:8080
                      Source: Malware configuration extractorIPs: 74.214.230.200:80
                      Source: Malware configuration extractorIPs: 93.147.212.206:80
                      Source: Malware configuration extractorIPs: 103.86.49.11:8080
                      Source: Malware configuration extractorIPs: 174.106.122.139:80
                      Source: Malware configuration extractorIPs: 138.68.87.218:443
                      Source: Malware configuration extractorIPs: 118.83.154.64:443
                      Source: Malware configuration extractorIPs: 200.116.145.225:443
                      Source: Malware configuration extractorIPs: 94.200.114.161:80
                      Source: Malware configuration extractorIPs: 62.75.141.82:80
                      Source: Malware configuration extractorIPs: 121.124.124.40:7080
                      Source: Malware configuration extractorIPs: 176.113.52.6:443
                      Source: Malware configuration extractorIPs: 24.137.76.62:80
                      Source: Malware configuration extractorIPs: 41.185.28.84:8080
                      Source: Malware configuration extractorIPs: 50.91.114.38:80
                      Source: Malware configuration extractorIPs: 46.105.131.79:8080
                      Source: Malware configuration extractorIPs: 109.74.5.95:8080
                      Source: Malware configuration extractorIPs: 67.170.250.203:443
                      Source: Joe Sandbox ViewASN Name: HOSTER-KZ HOSTER-KZ
                      Source: Joe Sandbox ViewASN Name: AfrihostZA AfrihostZA
                      Source: Joe Sandbox ViewIP Address: 194.4.58.192 194.4.58.192
                      Source: Joe Sandbox ViewIP Address: 95.9.5.93 95.9.5.93
                      Source: Joe Sandbox ViewIP Address: 94.200.114.161 94.200.114.161
                      Source: global trafficTCP traffic: 192.168.2.4:49760 -> 64.207.182.168:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49821 -> 51.89.199.141:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49830 -> 167.114.153.111:8080
                      Source: unknownNetwork traffic detected: IP country count 34
                      Source: unknownTCP traffic detected without corresponding DNS query: 102.182.145.130
                      Source: unknownTCP traffic detected without corresponding DNS query: 102.182.145.130
                      Source: unknownTCP traffic detected without corresponding DNS query: 102.182.145.130
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.173.254.105
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.173.254.105
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.173.254.105
                      Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                      Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                      Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.63.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.63.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.63.222.65
                      Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.youtube.com (Youtube)
                      Source: svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
                      Source: svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
                      Source: svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
                      Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmpString found in binary or memory: http://102.182.145.130/GW9pD1/
                      Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://167.114.153.111:8080/Y8QcFjXY9mTwqEUtHZi/jo0m0vlpkUvB8EqBbI/fLIWQI1S3rZ/hVNDUF/QmsdwGh/1dNDF7
                      Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmpString found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/
                      Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmpString found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/4
                      Source: signdrv.exe, 00000004.00000002.927418525.0000000002EF6000.00000004.00000001.sdmpString found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/B
                      Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmpString found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/G
                      Source: signdrv.exe, 00000004.00000002.927418525.0000000002EF6000.00000004.00000001.sdmpString found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/J
                      Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmpString found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/p
                      Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/
                      Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/$
                      Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/t
                      Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/~
                      Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://51.89.199.141:8080/D9XLHb/nDTPEm8/mQcO7qSsE6DgkWRoP/5bBQ4sqVDIFS/KjX037lSEGPiO0wQmiO/
                      Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://51.89.199.141:8080/D9XLHb/nDTPEm8/mQcO7qSsE6DgkWRoP/5bBQ4sqVDIFS/KjX037lSEGPiO0wQmiO/%
                      Source: svchost.exe, 0000000C.00000002.786933919.000001DFA7900000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000000C.00000002.786799839.000001DFA72EC000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                      Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                      Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
                      Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
                      Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
                      Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmpString found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
                      Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
                      Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
                      Source: svchost.exe, 0000000C.00000003.767642393.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.767628847.000001DFA799C000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: 0TOEtGJHN8.exe, 00000000.00000002.666782953.0000000000FCA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 4.2.signdrv.exe.e3052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0TOEtGJHN8.exe.2f50000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.signdrv.exe.e3279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0TOEtGJHN8.exe.2b6279e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0TOEtGJHN8.exe.2b6052e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.signdrv.exe.e3279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.signdrv.exe.2dd0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.signdrv.exe.e3052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0TOEtGJHN8.exe.2b6052e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0TOEtGJHN8.exe.2b6279e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.667325990.0000000002B60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.667365539.0000000002BA4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.926653493.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.927258349.0000000002DD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.667403377.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.927204458.0000000002D94000.00000004.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,4_2_02DD2650
                      Source: 0TOEtGJHN8.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeFile deleted: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe:Zone.IdentifierJump to behavior
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeFile created: C:\Windows\SysWOW64\KBDOGHAM\Jump to behavior
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F582400_2_02F58240
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F53BA00_2_02F53BA0
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F51C700_2_02F51C70
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F577400_2_02F57740
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F565300_2_02F56530
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F53F200_2_02F53F20
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F53D100_2_02F53D10
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B65ABE0_2_02B65ABE
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B692DE0_2_02B692DE
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B6573E0_2_02B6573E
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B658AE0_2_02B658AE
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B680CE0_2_02B680CE
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B6380E0_2_02B6380E
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B770690_2_02B77069
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B69DDE0_2_02B69DDE
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD82404_2_02DD8240
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD3BA04_2_02DD3BA0
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD77404_2_02DD7740
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD1C704_2_02DD1C70
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD3D104_2_02DD3D10
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD65304_2_02DD6530
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD3F204_2_02DD3F20
                      Source: 0TOEtGJHN8.exeVirustotal: Detection: 85%
                      Source: 0TOEtGJHN8.exeMetadefender: Detection: 45%
                      Source: 0TOEtGJHN8.exeReversingLabs: Detection: 88%
                      Source: 0TOEtGJHN8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\0TOEtGJHN8.exe 'C:\Users\user\Desktop\0TOEtGJHN8.exe'
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeProcess created: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeProcess created: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeJump to behavior
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                      Source: classification engineClassification label: mal92.troj.evad.winEXE@9/0@0/100
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,0_2_02F587D0
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,0_2_02F55070
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,4_2_02DD4CB0
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55DF0 push ecx; mov dword ptr [esp], 0000AAF5h0_2_02F55DF1
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55EF0 push ecx; mov dword ptr [esp], 0000669Ch0_2_02F55EF1
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55CD0 push ecx; mov dword ptr [esp], 00001CE1h0_2_02F55CD1
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55DC0 push ecx; mov dword ptr [esp], 000089FAh0_2_02F55DC1
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55EA0 push ecx; mov dword ptr [esp], 0000A3FDh0_2_02F55EA1
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55D90 push ecx; mov dword ptr [esp], 0000B2E0h0_2_02F55D91
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55D50 push ecx; mov dword ptr [esp], 00006847h0_2_02F55D51
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55D20 push ecx; mov dword ptr [esp], 0000C5A1h0_2_02F55D21
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55F20 push ecx; mov dword ptr [esp], 0000E36Ch0_2_02F55F21
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55E10 push ecx; mov dword ptr [esp], 0000F5B3h0_2_02F55E11
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55D00 push ecx; mov dword ptr [esp], 00001F9Eh0_2_02F55D01
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B67ABE push ecx; mov dword ptr [esp], 0000E36Ch0_2_02B67ABF
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B83E9C push ebx; iretd 0_2_02B83EAF
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B83E9C push FFFFFF95h; iretd 0_2_02B83EF1
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B67A8E push ecx; mov dword ptr [esp], 0000669Ch0_2_02B67A8F
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B67A3E push ecx; mov dword ptr [esp], 0000A3FDh0_2_02B67A3F
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B678BE push ecx; mov dword ptr [esp], 0000C5A1h0_2_02B678BF
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B6789E push ecx; mov dword ptr [esp], 00001F9Eh0_2_02B6789F
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B678EE push ecx; mov dword ptr [esp], 00006847h0_2_02B678EF
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B6786E push ecx; mov dword ptr [esp], 00001CE1h0_2_02B6786F
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B679AE push ecx; mov dword ptr [esp], 0000F5B3h0_2_02B679AF
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B6798E push ecx; mov dword ptr [esp], 0000AAF5h0_2_02B6798F
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B7858F push edi; iretd 0_2_02B785A1
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B839D9 push ss; iretd 0_2_02B839DE
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B6792E push ecx; mov dword ptr [esp], 0000B2E0h0_2_02B6792F
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B6795E push ecx; mov dword ptr [esp], 000089FAh0_2_02B6795F
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD5CD0 push ecx; mov dword ptr [esp], 00001CE1h4_2_02DD5CD1
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD5DC0 push ecx; mov dword ptr [esp], 000089FAh4_2_02DD5DC1
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD5DF0 push ecx; mov dword ptr [esp], 0000AAF5h4_2_02DD5DF1
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD5EF0 push ecx; mov dword ptr [esp], 0000669Ch4_2_02DD5EF1
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD5D90 push ecx; mov dword ptr [esp], 0000B2E0h4_2_02DD5D91
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02BA1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,0_2_02BA1030

                      Persistence and Installation Behavior:

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeExecutable created and started: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeJump to behavior
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exePE file moved: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeFile opened: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-13525
                      Source: C:\Windows\System32\svchost.exe TID: 5468Thread sleep time: -180000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,0_2_02F55070