Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 0TOEtGJHN8

Overview

General Information

Sample Name:0TOEtGJHN8 (renamed file extension from none to exe)
Analysis ID:480340
MD5:3639d17c4944743ac5c70c4e1bd30178
SHA1:0047a882cf542b94754496c8cb985ab64561f72c
SHA256:2cb7516c937ad8b9467ca417530651e34340d231c3696149c7d7b22e24ffaf9b
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • 0TOEtGJHN8.exe (PID: 6232 cmdline: 'C:\Users\user\Desktop\0TOEtGJHN8.exe' MD5: 3639D17C4944743AC5C70C4E1BD30178)
    • signdrv.exe (PID: 6516 cmdline: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe MD5: 3639D17C4944743AC5C70C4E1BD30178)
  • svchost.exe (PID: 2804 cmdline: c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6544 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1020 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6948 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6964 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3228 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["102.182.145.130:80", "173.173.254.105:80", "64.207.182.168:8080", "51.89.199.141:8080", "167.114.153.111:8080", "173.63.222.65:80", "218.147.193.146:80", "59.125.219.109:443", "172.104.97.173:8080", "190.162.215.233:80", "68.115.186.26:80", "78.188.106.53:443", "190.240.194.77:443", "24.133.106.23:80", "80.227.52.78:80", "79.137.83.50:443", "120.150.218.241:443", "62.171.142.179:8080", "194.4.58.192:7080", "62.30.7.67:443", "134.209.144.106:443", "24.230.141.169:80", "194.190.67.75:80", "172.91.208.86:80", "201.241.127.190:80", "185.94.252.104:443", "104.131.11.150:443", "71.15.245.148:8080", "176.111.60.55:8080", "172.86.188.251:8080", "194.187.133.160:443", "113.61.66.94:80", "91.211.88.52:7080", "202.134.4.216:8080", "154.91.33.137:443", "74.40.205.197:443", "87.106.139.101:8080", "66.76.12.94:8080", "139.59.60.244:8080", "112.185.64.233:80", "85.105.111.166:80", "74.208.45.104:8080", "94.230.70.6:80", "49.3.224.99:8080", "119.59.116.21:8080", "182.208.30.18:443", "184.180.181.202:80", "47.36.140.164:80", "186.70.56.94:443", "187.161.206.24:80", "102.182.93.220:80", "201.171.244.130:80", "190.12.119.180:443", "89.121.205.18:80", "110.145.77.103:80", "172.105.13.66:443", "108.46.29.236:80", "49.50.209.131:80", "75.143.247.51:80", "137.59.187.107:8080", "188.219.31.12:80", "61.33.119.226:443", "209.141.54.221:7080", "95.213.236.64:8080", "120.150.60.189:80", "190.164.104.62:80", "186.74.215.34:80", "139.99.158.11:443", "61.19.246.238:443", "121.7.31.214:80", "88.153.35.32:80", "5.39.91.110:7080", "123.142.37.166:80", "50.245.107.73:443", "95.9.5.93:80", "37.139.21.175:8080", "157.245.99.39:8080", "217.123.207.149:80", "72.186.136.247:443", "115.94.207.99:443", "202.141.243.254:443", "78.24.219.147:8080", "97.82.79.83:80", "217.20.166.178:7080", "203.153.216.189:7080", "220.245.198.194:80", "168.235.67.138:7080", "110.142.236.207:80", "162.241.140.129:8080", "76.175.162.101:80", "27.114.9.93:80", "24.178.90.49:80", "202.134.4.211:8080", "123.176.25.234:80", "61.76.222.210:80", "109.116.245.80:80", "139.162.60.124:8080", "190.108.228.27:443", "94.23.237.171:443", "2.58.16.89:8080", "37.179.204.33:80", "96.245.227.43:80", "216.139.123.119:80", "89.216.122.92:80", "37.187.72.193:8080", "74.214.230.200:80", "93.147.212.206:80", "103.86.49.11:8080", "174.106.122.139:80", "138.68.87.218:443", "118.83.154.64:443", "200.116.145.225:443", "94.200.114.161:80", "62.75.141.82:80", "121.124.124.40:7080", "176.113.52.6:443", "24.137.76.62:80", "41.185.28.84:8080", "50.91.114.38:80", "46.105.131.79:8080", "109.74.5.95:8080", "67.170.250.203:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.667325990.0000000002B60000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.667365539.0000000002BA4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.926653493.0000000000E30000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000004.00000002.927258349.0000000002DD1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000000.00000002.667403377.0000000002F51000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.signdrv.exe.e3052e.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              0.2.0TOEtGJHN8.exe.2f50000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                4.2.signdrv.exe.e3279e.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  0.2.0TOEtGJHN8.exe.2b6279e.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    0.2.0TOEtGJHN8.exe.2b6052e.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.0TOEtGJHN8.exe.2b6052e.1.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["102.182.145.130:80", "173.173.254.105:80", "64.207.182.168:8080", "51.89.199.141:8080", "167.114.153.111:8080", "173.63.222.65:80", "218.147.193.146:80", "59.125.219.109:443", "172.104.97.173:8080", "190.162.215.233:80", "68.115.186.26:80", "78.188.106.53:443", "190.240.194.77:443", "24.133.106.23:80", "80.227.52.78:80", "79.137.83.50:443", "120.150.218.241:443", "62.171.142.179:8080", "194.4.58.192:7080", "62.30.7.67:443", "134.209.144.106:443", "24.230.141.169:80", "194.190.67.75:80", "172.91.208.86:80", "201.241.127.190:80", "185.94.252.104:443", "104.131.11.150:443", "71.15.245.148:8080", "176.111.60.55:8080", "172.86.188.251:8080", "194.187.133.160:443", "113.61.66.94:80", "91.211.88.52:7080", "202.134.4.216:8080", "154.91.33.137:443", "74.40.205.197:443", "87.106.139.101:8080", "66.76.12.94:8080", "139.59.60.244:8080", "112.185.64.233:80", "85.105.111.166:80", "74.208.45.104:8080", "94.230.70.6:80", "49.3.224.99:8080", "119.59.116.21:8080", "182.208.30.18:443", "184.180.181.202:80", "47.36.140.164:80", "186.70.56.94:443", "187.161.206.24:80", "102.182.93.220:80", "201.171.244.130:80", "190.12.119.180:443", "89.121.205.18:80", "110.145.77.103:80", "172.105.13.66:443", "108.46.29.236:80", "49.50.209.131:80", "75.143.247.51:80", "137.59.187.107:8080", "188.219.31.12:80", "61.33.119.226:443", "209.141.54.221:7080", "95.213.236.64:8080", "120.150.60.189:80", "190.164.104.62:80", "186.74.215.34:80", "139.99.158.11:443", "61.19.246.238:443", "121.7.31.214:80", "88.153.35.32:80", "5.39.91.110:7080", "123.142.37.166:80", "50.245.107.73:443", "95.9.5.93:80", "37.139.21.175:8080", "157.245.99.39:8080", "217.123.207.149:80", "72.186.136.247:443", "115.94.207.99:443", "202.141.243.254:443", "78.24.219.147:8080", "97.82.79.83:80", "217.20.166.178:7080", "203.153.216.189:7080", "220.245.198.194:80", "168.235.67.138:7080", "110.142.236.207:80", "162.241.140.129:8080", "76.175.162.101:80", "27.114.9.93:80", "24.178.90.49:80", "202.134.4.211:8080", "123.176.25.234:80", "61.76.222.210:80", "109.116.245.80:80", "139.162.60.124:8080", "190.108.228.27:443", "94.23.237.171:443", "2.58.16.89:8080", "37.179.204.33:80", "96.245.227.43:80", "216.139.123.119:80", "89.216.122.92:80", "37.187.72.193:8080", "74.214.230.200:80", "93.147.212.206:80", "103.86.49.11:8080", "174.106.122.139:80", "138.68.87.218:443", "118.83.154.64:443", "200.116.145.225:443", "94.200.114.161:80", "62.75.141.82:80", "121.124.124.40:7080", "176.113.52.6:443", "24.137.76.62:80", "41.185.28.84:8080", "50.91.114.38:80", "46.105.131.79:8080", "109.74.5.95:8080", "67.170.250.203:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 0TOEtGJHN8.exeVirustotal: Detection: 85%Perma Link
                      Source: 0TOEtGJHN8.exeMetadefender: Detection: 45%Perma Link
                      Source: 0TOEtGJHN8.exeReversingLabs: Detection: 88%
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: 0TOEtGJHN8.exeAvira: detected
                      Machine Learning detection for sampleShow sources
                      Source: 0TOEtGJHN8.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptDuplicateHash,
                      Source: 0TOEtGJHN8.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F538F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 102.182.145.130:80
                      Source: Malware configuration extractorIPs: 173.173.254.105:80
                      Source: Malware configuration extractorIPs: 64.207.182.168:8080
                      Source: Malware configuration extractorIPs: 51.89.199.141:8080
                      Source: Malware configuration extractorIPs: 167.114.153.111:8080
                      Source: Malware configuration extractorIPs: 173.63.222.65:80
                      Source: Malware configuration extractorIPs: 218.147.193.146:80
                      Source: Malware configuration extractorIPs: 59.125.219.109:443
                      Source: Malware configuration extractorIPs: 172.104.97.173:8080
                      Source: Malware configuration extractorIPs: 190.162.215.233:80
                      Source: Malware configuration extractorIPs: 68.115.186.26:80
                      Source: Malware configuration extractorIPs: 78.188.106.53:443
                      Source: Malware configuration extractorIPs: 190.240.194.77:443
                      Source: Malware configuration extractorIPs: 24.133.106.23:80
                      Source: Malware configuration extractorIPs: 80.227.52.78:80
                      Source: Malware configuration extractorIPs: 79.137.83.50:443
                      Source: Malware configuration extractorIPs: 120.150.218.241:443
                      Source: Malware configuration extractorIPs: 62.171.142.179:8080
                      Source: Malware configuration extractorIPs: 194.4.58.192:7080
                      Source: Malware configuration extractorIPs: 62.30.7.67:443
                      Source: Malware configuration extractorIPs: 134.209.144.106:443
                      Source: Malware configuration extractorIPs: 24.230.141.169:80
                      Source: Malware configuration extractorIPs: 194.190.67.75:80
                      Source: Malware configuration extractorIPs: 172.91.208.86:80
                      Source: Malware configuration extractorIPs: 201.241.127.190:80
                      Source: Malware configuration extractorIPs: 185.94.252.104:443
                      Source: Malware configuration extractorIPs: 104.131.11.150:443
                      Source: Malware configuration extractorIPs: 71.15.245.148:8080
                      Source: Malware configuration extractorIPs: 176.111.60.55:8080
                      Source: Malware configuration extractorIPs: 172.86.188.251:8080
                      Source: Malware configuration extractorIPs: 194.187.133.160:443
                      Source: Malware configuration extractorIPs: 113.61.66.94:80
                      Source: Malware configuration extractorIPs: 91.211.88.52:7080
                      Source: Malware configuration extractorIPs: 202.134.4.216:8080
                      Source: Malware configuration extractorIPs: 154.91.33.137:443
                      Source: Malware configuration extractorIPs: 74.40.205.197:443
                      Source: Malware configuration extractorIPs: 87.106.139.101:8080
                      Source: Malware configuration extractorIPs: 66.76.12.94:8080
                      Source: Malware configuration extractorIPs: 139.59.60.244:8080
                      Source: Malware configuration extractorIPs: 112.185.64.233:80
                      Source: Malware configuration extractorIPs: 85.105.111.166:80
                      Source: Malware configuration extractorIPs: 74.208.45.104:8080
                      Source: Malware configuration extractorIPs: 94.230.70.6:80
                      Source: Malware configuration extractorIPs: 49.3.224.99:8080
                      Source: Malware configuration extractorIPs: 119.59.116.21:8080
                      Source: Malware configuration extractorIPs: 182.208.30.18:443
                      Source: Malware configuration extractorIPs: 184.180.181.202:80
                      Source: Malware configuration extractorIPs: 47.36.140.164:80
                      Source: Malware configuration extractorIPs: 186.70.56.94:443
                      Source: Malware configuration extractorIPs: 187.161.206.24:80
                      Source: Malware configuration extractorIPs: 102.182.93.220:80
                      Source: Malware configuration extractorIPs: 201.171.244.130:80
                      Source: Malware configuration extractorIPs: 190.12.119.180:443
                      Source: Malware configuration extractorIPs: 89.121.205.18:80
                      Source: Malware configuration extractorIPs: 110.145.77.103:80
                      Source: Malware configuration extractorIPs: 172.105.13.66:443
                      Source: Malware configuration extractorIPs: 108.46.29.236:80
                      Source: Malware configuration extractorIPs: 49.50.209.131:80
                      Source: Malware configuration extractorIPs: 75.143.247.51:80
                      Source: Malware configuration extractorIPs: 137.59.187.107:8080
                      Source: Malware configuration extractorIPs: 188.219.31.12:80
                      Source: Malware configuration extractorIPs: 61.33.119.226:443
                      Source: Malware configuration extractorIPs: 209.141.54.221:7080
                      Source: Malware configuration extractorIPs: 95.213.236.64:8080
                      Source: Malware configuration extractorIPs: 120.150.60.189:80
                      Source: Malware configuration extractorIPs: 190.164.104.62:80
                      Source: Malware configuration extractorIPs: 186.74.215.34:80
                      Source: Malware configuration extractorIPs: 139.99.158.11:443
                      Source: Malware configuration extractorIPs: 61.19.246.238:443
                      Source: Malware configuration extractorIPs: 121.7.31.214:80
                      Source: Malware configuration extractorIPs: 88.153.35.32:80
                      Source: Malware configuration extractorIPs: 5.39.91.110:7080
                      Source: Malware configuration extractorIPs: 123.142.37.166:80
                      Source: Malware configuration extractorIPs: 50.245.107.73:443
                      Source: Malware configuration extractorIPs: 95.9.5.93:80
                      Source: Malware configuration extractorIPs: 37.139.21.175:8080
                      Source: Malware configuration extractorIPs: 157.245.99.39:8080
                      Source: Malware configuration extractorIPs: 217.123.207.149:80
                      Source: Malware configuration extractorIPs: 72.186.136.247:443
                      Source: Malware configuration extractorIPs: 115.94.207.99:443
                      Source: Malware configuration extractorIPs: 202.141.243.254:443
                      Source: Malware configuration extractorIPs: 78.24.219.147:8080
                      Source: Malware configuration extractorIPs: 97.82.79.83:80
                      Source: Malware configuration extractorIPs: 217.20.166.178:7080
                      Source: Malware configuration extractorIPs: 203.153.216.189:7080
                      Source: Malware configuration extractorIPs: 220.245.198.194:80
                      Source: Malware configuration extractorIPs: 168.235.67.138:7080
                      Source: Malware configuration extractorIPs: 110.142.236.207:80
                      Source: Malware configuration extractorIPs: 162.241.140.129:8080
                      Source: Malware configuration extractorIPs: 76.175.162.101:80
                      Source: Malware configuration extractorIPs: 27.114.9.93:80
                      Source: Malware configuration extractorIPs: 24.178.90.49:80
                      Source: Malware configuration extractorIPs: 202.134.4.211:8080
                      Source: Malware configuration extractorIPs: 123.176.25.234:80
                      Source: Malware configuration extractorIPs: 61.76.222.210:80
                      Source: Malware configuration extractorIPs: 109.116.245.80:80
                      Source: Malware configuration extractorIPs: 139.162.60.124:8080
                      Source: Malware configuration extractorIPs: 190.108.228.27:443
                      Source: Malware configuration extractorIPs: 94.23.237.171:443
                      Source: Malware configuration extractorIPs: 2.58.16.89:8080
                      Source: Malware configuration extractorIPs: 37.179.204.33:80
                      Source: Malware configuration extractorIPs: 96.245.227.43:80
                      Source: Malware configuration extractorIPs: 216.139.123.119:80
                      Source: Malware configuration extractorIPs: 89.216.122.92:80
                      Source: Malware configuration extractorIPs: 37.187.72.193:8080
                      Source: Malware configuration extractorIPs: 74.214.230.200:80
                      Source: Malware configuration extractorIPs: 93.147.212.206:80
                      Source: Malware configuration extractorIPs: 103.86.49.11:8080
                      Source: Malware configuration extractorIPs: 174.106.122.139:80
                      Source: Malware configuration extractorIPs: 138.68.87.218:443
                      Source: Malware configuration extractorIPs: 118.83.154.64:443
                      Source: Malware configuration extractorIPs: 200.116.145.225:443
                      Source: Malware configuration extractorIPs: 94.200.114.161:80
                      Source: Malware configuration extractorIPs: 62.75.141.82:80
                      Source: Malware configuration extractorIPs: 121.124.124.40:7080
                      Source: Malware configuration extractorIPs: 176.113.52.6:443
                      Source: Malware configuration extractorIPs: 24.137.76.62:80
                      Source: Malware configuration extractorIPs: 41.185.28.84:8080
                      Source: Malware configuration extractorIPs: 50.91.114.38:80
                      Source: Malware configuration extractorIPs: 46.105.131.79:8080
                      Source: Malware configuration extractorIPs: 109.74.5.95:8080
                      Source: Malware configuration extractorIPs: 67.170.250.203:443
                      Source: Joe Sandbox ViewASN Name: HOSTER-KZ HOSTER-KZ
                      Source: Joe Sandbox ViewASN Name: AfrihostZA AfrihostZA
                      Source: Joe Sandbox ViewIP Address: 194.4.58.192 194.4.58.192
                      Source: Joe Sandbox ViewIP Address: 95.9.5.93 95.9.5.93
                      Source: Joe Sandbox ViewIP Address: 94.200.114.161 94.200.114.161
                      Source: global trafficTCP traffic: 192.168.2.4:49760 -> 64.207.182.168:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49821 -> 51.89.199.141:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49830 -> 167.114.153.111:8080
                      Source: unknownNetwork traffic detected: IP country count 34
                      Source: unknownTCP traffic detected without corresponding DNS query: 102.182.145.130
                      Source: unknownTCP traffic detected without corresponding DNS query: 102.182.145.130
                      Source: unknownTCP traffic detected without corresponding DNS query: 102.182.145.130
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.173.254.105
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.173.254.105
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.173.254.105
                      Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                      Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                      Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.63.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.63.222.65
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.63.222.65
                      Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 0000000C.00000003.774874421.000001DFA7981000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.youtube.com (Youtube)
                      Source: svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
                      Source: svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
                      Source: svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
                      Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmpString found in binary or memory: http://102.182.145.130/GW9pD1/
                      Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://167.114.153.111:8080/Y8QcFjXY9mTwqEUtHZi/jo0m0vlpkUvB8EqBbI/fLIWQI1S3rZ/hVNDUF/QmsdwGh/1dNDF7
                      Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmpString found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/
                      Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmpString found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/4
                      Source: signdrv.exe, 00000004.00000002.927418525.0000000002EF6000.00000004.00000001.sdmpString found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/B
                      Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmpString found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/G
                      Source: signdrv.exe, 00000004.00000002.927418525.0000000002EF6000.00000004.00000001.sdmpString found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/J
                      Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmpString found in binary or memory: http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/p
                      Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/
                      Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/$
                      Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/t
                      Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/~
                      Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://51.89.199.141:8080/D9XLHb/nDTPEm8/mQcO7qSsE6DgkWRoP/5bBQ4sqVDIFS/KjX037lSEGPiO0wQmiO/
                      Source: signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://51.89.199.141:8080/D9XLHb/nDTPEm8/mQcO7qSsE6DgkWRoP/5bBQ4sqVDIFS/KjX037lSEGPiO0wQmiO/%
                      Source: svchost.exe, 0000000C.00000002.786933919.000001DFA7900000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000000C.00000002.786799839.000001DFA72EC000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                      Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                      Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
                      Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
                      Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
                      Source: svchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmpString found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
                      Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
                      Source: svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
                      Source: svchost.exe, 0000000C.00000003.767642393.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.767628847.000001DFA799C000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: 0TOEtGJHN8.exe, 00000000.00000002.666782953.0000000000FCA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 4.2.signdrv.exe.e3052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0TOEtGJHN8.exe.2f50000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.signdrv.exe.e3279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0TOEtGJHN8.exe.2b6279e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0TOEtGJHN8.exe.2b6052e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.signdrv.exe.e3279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.signdrv.exe.2dd0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.signdrv.exe.e3052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0TOEtGJHN8.exe.2b6052e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0TOEtGJHN8.exe.2b6279e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.667325990.0000000002B60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.667365539.0000000002BA4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.926653493.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.927258349.0000000002DD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.667403377.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.927204458.0000000002D94000.00000004.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,
                      Source: 0TOEtGJHN8.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeFile deleted: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe:Zone.IdentifierJump to behavior
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeFile created: C:\Windows\SysWOW64\KBDOGHAM\Jump to behavior
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F58240
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F53BA0
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F51C70
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F57740
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F56530
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F53F20
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F53D10
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B65ABE
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B692DE
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B6573E
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B658AE
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B680CE
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B6380E
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B77069
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B69DDE
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD8240
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD3BA0
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD7740
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD1C70
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD3D10
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD6530
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD3F20
                      Source: 0TOEtGJHN8.exeVirustotal: Detection: 85%
                      Source: 0TOEtGJHN8.exeMetadefender: Detection: 45%
                      Source: 0TOEtGJHN8.exeReversingLabs: Detection: 88%
                      Source: 0TOEtGJHN8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\0TOEtGJHN8.exe 'C:\Users\user\Desktop\0TOEtGJHN8.exe'
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeProcess created: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeProcess created: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                      Source: classification engineClassification label: mal92.troj.evad.winEXE@9/0@0/100
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55DF0 push ecx; mov dword ptr [esp], 0000AAF5h
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55EF0 push ecx; mov dword ptr [esp], 0000669Ch
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55CD0 push ecx; mov dword ptr [esp], 00001CE1h
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55DC0 push ecx; mov dword ptr [esp], 000089FAh
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55EA0 push ecx; mov dword ptr [esp], 0000A3FDh
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55D90 push ecx; mov dword ptr [esp], 0000B2E0h
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55D50 push ecx; mov dword ptr [esp], 00006847h
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55D20 push ecx; mov dword ptr [esp], 0000C5A1h
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55F20 push ecx; mov dword ptr [esp], 0000E36Ch
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55E10 push ecx; mov dword ptr [esp], 0000F5B3h
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F55D00 push ecx; mov dword ptr [esp], 00001F9Eh
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B67ABE push ecx; mov dword ptr [esp], 0000E36Ch
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B83E9C push ebx; iretd
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B83E9C push FFFFFF95h; iretd
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B67A8E push ecx; mov dword ptr [esp], 0000669Ch
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B67A3E push ecx; mov dword ptr [esp], 0000A3FDh
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B678BE push ecx; mov dword ptr [esp], 0000C5A1h
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B6789E push ecx; mov dword ptr [esp], 00001F9Eh
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B678EE push ecx; mov dword ptr [esp], 00006847h
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B6786E push ecx; mov dword ptr [esp], 00001CE1h
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B679AE push ecx; mov dword ptr [esp], 0000F5B3h
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B6798E push ecx; mov dword ptr [esp], 0000AAF5h
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B7858F push edi; iretd
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B839D9 push ss; iretd
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B6792E push ecx; mov dword ptr [esp], 0000B2E0h
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B6795E push ecx; mov dword ptr [esp], 000089FAh
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD5CD0 push ecx; mov dword ptr [esp], 00001CE1h
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD5DC0 push ecx; mov dword ptr [esp], 000089FAh
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD5DF0 push ecx; mov dword ptr [esp], 0000AAF5h
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD5EF0 push ecx; mov dword ptr [esp], 0000669Ch
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD5D90 push ecx; mov dword ptr [esp], 0000B2E0h
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02BA1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

                      Persistence and Installation Behavior:

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeExecutable created and started: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exePE file moved: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeFile opened: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes

                      Malware Analysis System Evasion:

                      barindex
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                      Source: C:\Windows\System32\svchost.exe TID: 5468Thread sleep time: -180000s >= -30000s
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F538F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeFile Volume queried: C:\ FullSizeInformation
                      Source: svchost.exe, 0000000C.00000002.786813778.000001DFA72FB000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                      Source: svchost.exe, 00000002.00000002.924057917.000002363A802000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.786799839.000001DFA72EC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02BA1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F538F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F53F20 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F54E20 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B65ABE mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B60456 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B669BE mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02B6095E mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02BA1030 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD3F20 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD4E20 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02D91030 mov eax, dword ptr fs:[00000030h]
                      Source: signdrv.exe, 00000004.00000002.927120135.0000000001530000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: signdrv.exe, 00000004.00000002.927120135.0000000001530000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: signdrv.exe, 00000004.00000002.927120135.0000000001530000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: signdrv.exe, 00000004.00000002.927120135.0000000001530000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\0TOEtGJHN8.exeCode function: 0_2_02F57EC0 _snwprintf,GetProcessHeap,SetFileInformationByHandle,SetFileInformationByHandle,GetSystemTimeAsFileTime,CreateFileW,CreateFileW,CloseHandle,
                      Source: C:\Windows\SysWOW64\KBDOGHAM\signdrv.exeCode function: 4_2_02DD5360 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 4.2.signdrv.exe.e3052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0TOEtGJHN8.exe.2f50000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.signdrv.exe.e3279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0TOEtGJHN8.exe.2b6279e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0TOEtGJHN8.exe.2b6052e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.signdrv.exe.e3279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.signdrv.exe.2dd0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.signdrv.exe.e3052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0TOEtGJHN8.exe.2b6052e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0TOEtGJHN8.exe.2b6279e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.667325990.0000000002B60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.667365539.0000000002BA4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.926653493.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.927258349.0000000002DD1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.667403377.0000000002F51000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.927204458.0000000002D94000.00000004.00000001.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsService Execution1Windows Service2Windows Service2Masquerading12Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
                      Default AccountsNative API11Boot or Logon Initialization ScriptsProcess Injection2Virtualization/Sandbox Evasion1LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerSecurity Software Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Hidden Files and Directories1NTDSVirtualization/Sandbox Evasion1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsProcess Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Service Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery15Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      0TOEtGJHN8.exe86%VirustotalBrowse
                      0TOEtGJHN8.exe54%MetadefenderBrowse
                      0TOEtGJHN8.exe88%ReversingLabsWin32.Trojan.Injuke
                      0TOEtGJHN8.exe100%AviraTR/Crypt.Agent.hgrgz
                      0TOEtGJHN8.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.2.0TOEtGJHN8.exe.2b6052e.1.unpack100%AviraHEUR/AGEN.1110377Download File
                      0.2.0TOEtGJHN8.exe.2f50000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.signdrv.exe.e3279e.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.2.0TOEtGJHN8.exe.400000.0.unpack100%AviraHEUR/AGEN.1139844Download File
                      0.2.0TOEtGJHN8.exe.2b6279e.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.0.0TOEtGJHN8.exe.400000.0.unpack100%AviraHEUR/AGEN.1139844Download File
                      4.2.signdrv.exe.2dd0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.signdrv.exe.e3052e.2.unpack100%AviraHEUR/AGEN.1110377Download File
                      4.0.signdrv.exe.400000.0.unpack100%AviraHEUR/AGEN.1139844Download File
                      4.2.signdrv.exe.400000.0.unpack100%AviraHEUR/AGEN.1139844Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://102.182.145.130/GW9pD1/0%Avira URL Cloudsafe
                      http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/G0%Avira URL Cloudsafe
                      http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/$0%Avira URL Cloudsafe
                      http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/0%Avira URL Cloudsafe
                      http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/B0%Avira URL Cloudsafe
                      http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/0%Avira URL Cloudsafe
                      http://51.89.199.141:8080/D9XLHb/nDTPEm8/mQcO7qSsE6DgkWRoP/5bBQ4sqVDIFS/KjX037lSEGPiO0wQmiO/%0%Avira URL Cloudsafe
                      http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/40%Avira URL Cloudsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/t0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/p0%Avira URL Cloudsafe
                      http://51.89.199.141:8080/D9XLHb/nDTPEm8/mQcO7qSsE6DgkWRoP/5bBQ4sqVDIFS/KjX037lSEGPiO0wQmiO/0%Avira URL Cloudsafe
                      http://167.114.153.111:8080/Y8QcFjXY9mTwqEUtHZi/jo0m0vlpkUvB8EqBbI/fLIWQI1S3rZ/hVNDUF/QmsdwGh/1dNDF70%Avira URL Cloudsafe
                      http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/~0%Avira URL Cloudsafe
                      http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/J0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://102.182.145.130/GW9pD1/signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/Gsigndrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.g5e.com/G5_End_User_License_Supplemental_Termssvchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmpfalse
                        		high
                        https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventuresvchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmpfalse
                          		high
                          http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/$signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/Bsigndrv.exe, 00000004.00000002.927418525.0000000002EF6000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://corp.roblox.com/contact/svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmpfalse
                            		high
                            https://www.roblox.com/developsvchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmpfalse
                              		high
                              http://51.89.199.141:8080/D9XLHb/nDTPEm8/mQcO7qSsE6DgkWRoP/5bBQ4sqVDIFS/KjX037lSEGPiO0wQmiO/%signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/4signdrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.roblox.com/info/privacysvchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmpfalse
                                		high
                                http://crl.ver)svchost.exe, 0000000C.00000002.786799839.000001DFA72EC000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.g5e.com/termsofservicesvchost.exe, 0000000C.00000003.766477397.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.766506617.000001DFA7E1D000.00000004.00000001.sdmpfalse
                                  		high
                                  http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/tsigndrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000000C.00000003.767642393.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.767628847.000001DFA799C000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/psigndrv.exe, 00000004.00000003.860042980.0000000003172000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://51.89.199.141:8080/D9XLHb/nDTPEm8/mQcO7qSsE6DgkWRoP/5bBQ4sqVDIFS/KjX037lSEGPiO0wQmiO/signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://en.help.roblox.com/hc/en-ussvchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmpfalse
                                    		high
                                    https://corp.roblox.com/parents/svchost.exe, 0000000C.00000003.773810411.000001DFA7981000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.773770820.000001DFA79A5000.00000004.00000001.sdmpfalse
                                      		high
                                      http://167.114.153.111:8080/Y8QcFjXY9mTwqEUtHZi/jo0m0vlpkUvB8EqBbI/fLIWQI1S3rZ/hVNDUF/QmsdwGh/1dNDF7signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://173.63.222.65/9ZCmKiFO7uHPn84/3EvH6ueL/1JsHphUq/xlmyNF0tH4Btuub/~signdrv.exe, 00000004.00000002.927478356.0000000003150000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://173.173.254.105/eRt0rf/h47E/PPGzddI6qtwJHCcrLv/Jsigndrv.exe, 00000004.00000002.927418525.0000000002EF6000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      194.4.58.192
                                      		unknownKazakhstan
                                      		202958HOSTER-KZtrue
                                      102.182.93.220
                                      		unknownSouth Africa
                                      		37611AfrihostZAtrue
                                      95.9.5.93
                                      		unknownTurkey
                                      		9121TTNETTRtrue
                                      94.200.114.161
                                      		unknownUnited Arab Emirates
                                      		15802DU-AS1AEtrue
                                      72.186.136.247
                                      		unknownUnited States
                                      		33363BHN-33363UStrue
                                      115.94.207.99
                                      		unknownKorea Republic of
                                      		3786LGDACOMLGDACOMCorporationKRtrue
                                      24.133.106.23
                                      		unknownTurkey
                                      		47524TURKSAT-ASTRtrue
                                      89.121.205.18
                                      		unknownRomania
                                      		9050RTDBucharestRomaniaROtrue
                                      216.139.123.119
                                      		unknownUnited States
                                      		395582GRM-NETWORKUStrue
                                      200.116.145.225
                                      		unknownColombia
                                      		13489EPMTelecomunicacionesSAESPCOtrue
                                      172.105.13.66
                                      		unknownUnited States
                                      		63949LINODE-APLinodeLLCUStrue
                                      138.68.87.218
                                      		unknownUnited States
                                      		14061DIGITALOCEAN-ASNUStrue
                                      220.245.198.194
                                      		unknownAustralia
                                      		7545TPG-INTERNET-APTPGTelecomLimitedAUtrue
                                      67.170.250.203
                                      		unknownUnited States
                                      		7922COMCAST-7922UStrue
                                      104.131.11.150
                                      		unknownUnited States
                                      		14061DIGITALOCEAN-ASNUStrue
                                      176.111.60.55
                                      		unknownUkraine
                                      		24703UN-UKRAINE-ASKievUkraineUAtrue
                                      24.178.90.49
                                      		unknownUnited States
                                      		20115CHARTER-20115UStrue
                                      94.23.237.171
                                      		unknownFrance
                                      		16276OVHFRtrue
                                      187.161.206.24
                                      		unknownMexico
                                      		11888TelevisionInternacionalSAdeCVMXtrue
                                      41.185.28.84
                                      		unknownSouth Africa
                                      		36943GridhostZAtrue
                                      194.190.67.75
                                      		unknownRussian Federation
                                      		50804BESTLINE-NET-PROTVINORUtrue
                                      186.74.215.34
                                      		unknownPanama
                                      		11556CableWirelessPanamaPAtrue
                                      109.116.245.80
                                      		unknownItaly
                                      		30722VODAFONE-IT-ASNITtrue
                                      202.134.4.216
                                      		unknownIndonesia
                                      		7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDtrue
                                      120.150.218.241
                                      		unknownAustralia
                                      		1221ASN-TELSTRATelstraCorporationLtdAUtrue
                                      202.134.4.211
                                      		unknownIndonesia
                                      		7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDtrue
                                      87.106.139.101
                                      		unknownGermany
                                      		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                      62.30.7.67
                                      		unknownUnited Kingdom
                                      		5089NTLGBtrue
                                      123.142.37.166
                                      		unknownKorea Republic of
                                      		3786LGDACOMLGDACOMCorporationKRtrue
                                      51.89.199.141
                                      		unknownFrance
                                      		16276OVHFRtrue
                                      75.143.247.51
                                      		unknownUnited States
                                      		20115CHARTER-20115UStrue
                                      49.3.224.99
                                      		unknownAustralia
                                      		4804MPX-ASMicroplexPTYLTDAUtrue
                                      162.241.140.129
                                      		unknownUnited States
                                      		46606UNIFIEDLAYER-AS-1UStrue
                                      62.75.141.82
                                      		unknownGermany
                                      		8972GD-EMEA-DC-SXB1DEtrue
                                      119.59.116.21
                                      		unknownThailand
                                      		56067METRABYTE-TH453LadplacoutJorakhaebuaTHtrue
                                      172.91.208.86
                                      		unknownUnited States
                                      		20001TWC-20001-PACWESTUStrue
                                      113.61.66.94
                                      		unknownAustralia
                                      		45510TELCOINABOX-AULevel109HunterStreetAUtrue
                                      96.245.227.43
                                      		unknownUnited States
                                      		701UUNETUStrue
                                      37.139.21.175
                                      		unknownNetherlands
                                      		14061DIGITALOCEAN-ASNUStrue
                                      194.187.133.160
                                      		unknownBulgaria
                                      		13124IBGCBGtrue
                                      121.7.31.214
                                      		unknownSingapore
                                      		9506SINGTEL-FIBRESingtelFibreBroadbandSGtrue
                                      112.185.64.233
                                      		unknownKorea Republic of
                                      		4766KIXS-AS-KRKoreaTelecomKRtrue
                                      61.76.222.210
                                      		unknownKorea Republic of
                                      		4766KIXS-AS-KRKoreaTelecomKRtrue
                                      95.213.236.64
                                      		unknownRussian Federation
                                      		49505SELECTELRUtrue
                                      46.105.131.79
                                      		unknownFrance
                                      		16276OVHFRtrue
                                      27.114.9.93
                                      		unknownJapan4713OCNNTTCommunicationsCorporationJPtrue
                                      74.214.230.200
                                      		unknownUnited States
                                      		36728EMERYTELCOMUStrue
                                      190.162.215.233
                                      		unknownChile
                                      		22047VTRBANDAANCHASACLtrue
                                      110.145.77.103
                                      		unknownAustralia
                                      		1221ASN-TELSTRATelstraCorporationLtdAUtrue
                                      154.91.33.137
                                      		unknownSeychelles
                                      		137443ANCHGLOBAL-AS-APAnchnetAsiaLimitedHKtrue
                                      120.150.60.189
                                      		unknownAustralia
                                      		1221ASN-TELSTRATelstraCorporationLtdAUtrue
                                      93.147.212.206
                                      		unknownItaly
                                      		30722VODAFONE-IT-ASNITtrue
                                      91.211.88.52
                                      		unknownUkraine
                                      		206638HOSTFORYUAtrue
                                      172.86.188.251
                                      		unknownCanada
                                      		32489AMANAHA-NEWCAtrue
                                      157.245.99.39
                                      		unknownUnited States
                                      		14061DIGITALOCEAN-ASNUStrue
                                      167.114.153.111
                                      		unknownCanada
                                      		16276OVHFRtrue
                                      37.179.204.33
                                      		unknownItaly
                                      		30722VODAFONE-IT-ASNITtrue
                                      203.153.216.189
                                      		unknownIndonesia
                                      		45291SURF-IDPTSurfindoNetworkIDtrue
                                      59.125.219.109
                                      		unknownTaiwan; Republic of China (ROC)
                                      		3462HINETDataCommunicationBusinessGroupTWtrue
                                      2.58.16.89
                                      		unknownLatvia
                                      		64421SERTEX-ASLVtrue
                                      62.171.142.179
                                      		unknownUnited Kingdom
                                      		51167CONTABODEtrue
                                      123.176.25.234
                                      		unknownMaldives
                                      		7642DHIRAAGU-MV-APDHIVEHIRAAJJEYGEGULHUNPLCMVtrue
                                      50.91.114.38
                                      		unknownUnited States
                                      		33363BHN-33363UStrue
                                      61.33.119.226
                                      		unknownKorea Republic of
                                      		3786LGDACOMLGDACOMCorporationKRtrue
                                      217.123.207.149
                                      		unknownNetherlands
                                      		33915TNF-ASNLtrue
                                      78.24.219.147
                                      		unknownRussian Federation
                                      		29182THEFIRST-ASRUtrue
                                      173.63.222.65
                                      		unknownUnited States
                                      		701UUNETUStrue
                                      47.36.140.164
                                      		unknownUnited States
                                      		20115CHARTER-20115UStrue
                                      110.142.236.207
                                      		unknownAustralia
                                      		1221ASN-TELSTRATelstraCorporationLtdAUtrue
                                      139.99.158.11
                                      		unknownCanada
                                      		16276OVHFRtrue
                                      201.171.244.130
                                      		unknownMexico
                                      		8151UninetSAdeCVMXtrue
                                      49.50.209.131
                                      		unknownNew Zealand
                                      		55853MEGATEL-AS-APMegatelNZtrue
                                      190.108.228.27
                                      		unknownArgentina
                                      		27751NeunetSAARtrue
                                      202.141.243.254
                                      		unknownPakistan
                                      		9260MULTINET-AS-APMultinetPakistanPvtLtdPKtrue
                                      121.124.124.40
                                      		unknownKorea Republic of
                                      		9318SKB-ASSKBroadbandCoLtdKRtrue
                                      139.59.60.244
                                      		unknownSingapore
                                      		14061DIGITALOCEAN-ASNUStrue
                                      61.19.246.238
                                      		unknownThailand
                                      		9335CAT-CLOUD-APCATTelecomPublicCompanyLimitedTHtrue
                                      168.235.67.138
                                      		unknownUnited States
                                      		3842RAMNODEUStrue
                                      137.59.187.107
                                      		unknownHong Kong
                                      		18106VIEWQWEST-SG-APViewqwestPteLtdSGtrue
                                      78.188.106.53
                                      		unknownTurkey
                                      		9121TTNETTRtrue
                                      71.15.245.148
                                      		unknownUnited States
                                      		20115CHARTER-20115UStrue
                                      188.219.31.12
                                      		unknownItaly
                                      		30722VODAFONE-IT-ASNITtrue
                                      64.207.182.168
                                      		unknownUnited States
                                      		398110GO-DADDY-COM-LLCUStrue
                                      217.20.166.178
                                      		unknownUkraine
                                      		1820WNETUStrue
                                      24.230.141.169
                                      		unknownUnited States
                                      		11232MIDCO-NETUStrue
                                      74.208.45.104
                                      		unknownUnited States
                                      		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                      134.209.144.106
                                      		unknownUnited States
                                      		14061DIGITALOCEAN-ASNUStrue
                                      186.70.56.94
                                      		unknownEcuador
                                      		14522SatnetECtrue
                                      97.82.79.83
                                      		unknownUnited States
                                      		20115CHARTER-20115UStrue
                                      173.173.254.105
                                      		unknownUnited States
                                      		11427TWC-11427-TEXASUStrue
                                      172.104.97.173
                                      		unknownUnited States
                                      		63949LINODE-APLinodeLLCUStrue
                                      190.12.119.180
                                      		unknownArgentina
                                      		11014CPSARtrue
                                      139.162.60.124
                                      		unknownNetherlands
                                      		63949LINODE-APLinodeLLCUStrue
                                      184.180.181.202
                                      		unknownUnited States
                                      		22773ASN-CXA-ALL-CCI-22773-RDCUStrue
                                      176.113.52.6
                                      		unknownRussian Federation
                                      		8712INTA-ASRUtrue
                                      68.115.186.26
                                      		unknownUnited States
                                      		20115CHARTER-20115UStrue
                                      201.241.127.190
                                      		unknownChile
                                      		22047VTRBANDAANCHASACLtrue
                                      24.137.76.62
                                      		unknownCanada
                                      		11260EASTLINK-HSICAtrue
                                      102.182.145.130
                                      		unknownSouth Africa
                                      		37611AfrihostZAtrue
                                      182.208.30.18
                                      		unknownKorea Republic of
                                      		17858POWERVIS-AS-KRLGPOWERCOMMKRtrue

                                      General Information

                                      Joe Sandbox Version:33.0.0 White Diamond
                                      Analysis ID:480340
                                      Start date:09.09.2021
                                      Start time:09:54:08
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 7m 42s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:0TOEtGJHN8 (renamed file extension from none to exe)
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:18
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal92.troj.evad.winEXE@9/0@0/100
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:
                                      • Successful, ratio: 34.2% (good quality ratio 34.1%)
                                      • Quality average: 73.5%
                                      • Quality standard deviation: 19.9%
                                      HCA Information:
                                      • Successful, ratio: 81%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      Warnings:
                                      Show All
                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                                      • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.210.154, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211
                                      • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      09:55:03API Interceptor1x Sleep call for process: 0TOEtGJHN8.exe modified
                                      09:55:05API Interceptor1x Sleep call for process: signdrv.exe modified
                                      09:55:50API Interceptor10x Sleep call for process: svchost.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      194.4.58.192boI88C399w.exeGet hashmaliciousBrowse
                                        boI88C399w.exeGet hashmaliciousBrowse
                                          v8iFmF7XPp.dllGet hashmaliciousBrowse
                                            2ojdmC51As.exeGet hashmaliciousBrowse
                                              IU-8549 Medical report COVID-19.docGet hashmaliciousBrowse
                                                102.182.93.220boI88C399w.exeGet hashmaliciousBrowse
                                                  boI88C399w.exeGet hashmaliciousBrowse
                                                    2ojdmC51As.exeGet hashmaliciousBrowse
                                                      95.9.5.93boI88C399w.exeGet hashmaliciousBrowse
                                                        boI88C399w.exeGet hashmaliciousBrowse
                                                          v8iFmF7XPp.dllGet hashmaliciousBrowse
                                                            2ojdmC51As.exeGet hashmaliciousBrowse
                                                              IU-8549 Medical report COVID-19.docGet hashmaliciousBrowse
                                                                94.200.114.161test-emotet.exeGet hashmaliciousBrowse
                                                                • 94.200.114.161/

                                                                Domains

                                                                No context

                                                                ASN

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                HOSTER-KZboI88C399w.exeGet hashmaliciousBrowse
                                                                • 194.4.58.192
                                                                boI88C399w.exeGet hashmaliciousBrowse
                                                                • 194.4.58.192
                                                                jax.k.dllGet hashmaliciousBrowse
                                                                • 185.100.65.29
                                                                0519_3361871008218.docGet hashmaliciousBrowse
                                                                • 185.100.65.29
                                                                fax.f.dllGet hashmaliciousBrowse
                                                                • 185.100.65.29
                                                                0513_3111026702554.docGet hashmaliciousBrowse
                                                                • 185.100.65.29
                                                                0513_1360918519077.docGet hashmaliciousBrowse
                                                                • 185.100.65.29
                                                                581a98e7_by_Libranalysis.docmGet hashmaliciousBrowse
                                                                • 185.100.65.29
                                                                Win32.exeGet hashmaliciousBrowse
                                                                • 185.113.134.179
                                                                jers.dllGet hashmaliciousBrowse
                                                                • 185.100.65.29
                                                                v8iFmF7XPp.dllGet hashmaliciousBrowse
                                                                • 194.4.58.192
                                                                wininit.dllGet hashmaliciousBrowse
                                                                • 185.100.65.29
                                                                0408_391585988029.docGet hashmaliciousBrowse
                                                                • 185.100.65.29
                                                                msals.pumpl.dllGet hashmaliciousBrowse
                                                                • 185.100.65.29
                                                                msals.pumpl.dllGet hashmaliciousBrowse
                                                                • 185.100.65.29
                                                                msals.dllGet hashmaliciousBrowse
                                                                • 185.100.65.29
                                                                NvContainer.exeGet hashmaliciousBrowse
                                                                • 185.113.134.179
                                                                0318_45657944978421.docGet hashmaliciousBrowse
                                                                • 185.100.65.29
                                                                2ojdmC51As.exeGet hashmaliciousBrowse
                                                                • 194.4.58.192
                                                                FileZilla_3.50.0_win64-setup.exeGet hashmaliciousBrowse
                                                                • 185.116.194.200
                                                                AfrihostZA2JOGBbcihoGet hashmaliciousBrowse
                                                                • 169.85.189.226
                                                                hzD4UBTK5HGet hashmaliciousBrowse
                                                                • 169.209.50.42
                                                                N2fpnW8P5qGet hashmaliciousBrowse
                                                                • 169.212.193.44
                                                                Darknet.arm7Get hashmaliciousBrowse
                                                                • 102.182.120.199
                                                                7bkrFirKokGet hashmaliciousBrowse
                                                                • 169.82.184.30
                                                                uxHuQqDuZcGet hashmaliciousBrowse
                                                                • 169.217.110.44
                                                                OnRFDWqdnFGet hashmaliciousBrowse
                                                                • 169.43.0.8
                                                                2vMBHaZcM5Get hashmaliciousBrowse
                                                                • 156.155.120.122
                                                                b3astmode.x86Get hashmaliciousBrowse
                                                                • 169.185.9.1
                                                                re.a1rmv4lGet hashmaliciousBrowse
                                                                • 169.174.32.208
                                                                sora.arm7Get hashmaliciousBrowse
                                                                • 169.202.152.130
                                                                AJK7j832D2Get hashmaliciousBrowse
                                                                • 169.108.199.40
                                                                YlmvKUJ5gKGet hashmaliciousBrowse
                                                                • 169.18.199.19
                                                                ENQUIRYSMRT119862021-ERW PIPES.pdf.exeGet hashmaliciousBrowse
                                                                • 169.1.24.244
                                                                mipsGet hashmaliciousBrowse
                                                                • 169.108.199.16
                                                                brZRQRhRpdGet hashmaliciousBrowse
                                                                • 169.213.200.228
                                                                0bqzNIp9PVGet hashmaliciousBrowse
                                                                • 169.87.203.46
                                                                KSzA1ujvlVGet hashmaliciousBrowse
                                                                • 169.221.72.136
                                                                y66dLhUn0GGet hashmaliciousBrowse
                                                                • 169.30.45.120
                                                                sora.x86Get hashmaliciousBrowse
                                                                • 169.82.147.97

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                No created / dropped files found

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):6.4617069558872
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:0TOEtGJHN8.exe
                                                                File size:364544
                                                                MD5:3639d17c4944743ac5c70c4e1bd30178
                                                                SHA1:0047a882cf542b94754496c8cb985ab64561f72c
                                                                SHA256:2cb7516c937ad8b9467ca417530651e34340d231c3696149c7d7b22e24ffaf9b
                                                                SHA512:efbc3c75d893baa3e5fc5329ef7bc3163e686850f9196e2ba758b486b18743fd2487476976d6c55b826da2ab1a017ae854af0c53d4b95865a5221a387ba9ad11
                                                                SSDEEP:6144:5uBkiwzntFj3OB0LPJQOZGhcvSSj2x+TGLNs3EtU7L:5HbFTOAQIacvSS6oqLFtsL
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y....c...c...c.......c...|...c...|...c...|...c.......c...c..ic...|...c...e...c..Rich.c..........PE..L...z.._...................

                                                                File Icon

                                                                Icon Hash:00828e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x40a274
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                DLL Characteristics:
                                                                Time Stamp:0x5F9C077A [Fri Oct 30 12:30:50 2020 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:c9f7e018b269f1b5fe81cf757d6f8e93

                                                                Entrypoint Preview

                                                                Instruction
                                                                push ebp
                                                                push esp
                                                                pop ebp
                                                                push FFFFFFFFh
                                                                push 0040C000h
                                                                push 0040A424h
                                                                mov eax, dword ptr fs:[00000000h]
                                                                push eax
                                                                mov dword ptr fs:[00000000h], esp
                                                                sub esp, 68h
                                                                push ebx
                                                                push esi
                                                                push edi
                                                                mov dword ptr [ebp-18h], esp
                                                                xor ebx, ebx
                                                                mov dword ptr [ebp-04h], ebx
                                                                push 00000002h
                                                                call dword ptr [00C1E598h]
                                                                pop ecx
                                                                or dword ptr [00C1DA4Ch], FFFFFFFFh
                                                                or dword ptr [00C1DA5Ch], FFFFFFFFh
                                                                call dword ptr [00C1E53Ch]
                                                                mov ecx, dword ptr [00C1DA3Ch]
                                                                mov dword ptr [eax], ecx
                                                                call dword ptr [00C1E540h]
                                                                mov ecx, dword ptr [00C1DA38h]
                                                                mov dword ptr [eax], ecx
                                                                mov eax, dword ptr [00C1E544h]
                                                                mov eax, dword ptr [eax]
                                                                mov dword ptr [00C1DA40h], eax
                                                                call 00007FF408AB9E63h
                                                                cmp dword ptr [0040DA00h], ebx
                                                                jne 00007FF408AB9D3Eh
                                                                push 0040A40Eh
                                                                call dword ptr [00C1E548h]
                                                                pop ecx
                                                                call 00007FF408AB9E2Fh
                                                                push 0040D418h
                                                                push 0040D314h
                                                                call 00007FF408AB9E1Ah
                                                                mov eax, dword ptr [00C1DA34h]
                                                                mov dword ptr [ebp-6Ch], eax
                                                                lea eax, dword ptr [ebp-6Ch]
                                                                push eax
                                                                push dword ptr [00C1DA30h]
                                                                lea eax, dword ptr [ebp-64h]
                                                                push eax
                                                                lea eax, dword ptr [ebp-70h]
                                                                push eax
                                                                lea eax, dword ptr [ebp-60h]
                                                                push eax
                                                                call dword ptr [00C1E550h]
                                                                push 0040D210h
                                                                push 0040D000h
                                                                call 00007FF408AB9DE7h

                                                                Rich Headers

                                                                Programming Language:
                                                                • [ C ] VS98 (6.0) build 8168
                                                                • [RES] VS98 (6.0) cvtres build 1720
                                                                • [C++] VS98 (6.0) build 8168
                                                                • [LNK] VS98 (6.0) imp/exp build 8168

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x81e0000x8c.idata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x8200000x41d76.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x8620000x1184.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x81e3bc0x330.idata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000xa45f0xb000False0.327281605114data5.39094221826IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rdata0xc0000x10e0x1000False0.00927734375data0.0298850891201IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0xd0000x810a600x1000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                .idata0x81e0000x11680x2000False0.19482421875data2.91471949984IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                .rsrc0x8200000x41d760x42000False0.752877900095data7.04184498603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x8620000x6f5e0x7000False0.135777064732data1.65586384416IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_BITMAP0x820f500x4ee8dataEnglishUnited States
                                                                RT_MENU0x8204300x168dataEnglishUnited States
                                                                RT_DIALOG0x8205980x224dataEnglishUnited States
                                                                RT_DIALOG0x820ea80xa6dataEnglishUnited States
                                                                RT_DIALOG0x8207c00x3fadataEnglishUnited States
                                                                RT_DIALOG0x820bc00x290dataEnglishUnited States
                                                                RT_DIALOG0x820e500x54dataEnglishUnited States
                                                                RT_STRING0x856d700x50dataEnglishUnited States
                                                                RT_RCDATA0x825e380x30f33dataEnglishUnited States

                                                                Imports

                                                                DLLImport
                                                                KERNEL32.dllWinExec, LoadLibraryA, GetProcAddress, WriteFile, GlobalReAlloc, GlobalSize, GetPrivateProfileStringA, WritePrivateProfileStringA, CreateFileA, SetFilePointer, ReadFile, CloseHandle, GlobalAlloc, VirtualAlloc, GlobalLock, GlobalUnlock, GlobalFree, GetModuleHandleExA, GetModuleHandleA, GetStartupInfoA
                                                                USER32.dllGetMenu, GetDlgItem, CharLowerA, DestroyWindow, ShowWindow, WinHelpA, DefFrameProcA, EnableMenuItem, GetParent, DefMDIChildProcA, EndDialog, CharUpperA, ReleaseDC, GetDC, SendMessageA, InvalidateRect, PostQuitMessage, SendDlgItemMessageA, wsprintfA, SetWindowPos, GetClientRect, SetScrollRange, SetScrollPos, LoadStringA, EndPaint, BeginPaint, DispatchMessageA, TranslateMessage, GetMessageA, CreateDialogParamA, UpdateWindow, CreateWindowExA, RegisterClassA, LoadCursorA, DialogBoxParamA, LoadIconA
                                                                GDI32.dllCreatePalette, DeleteObject, SelectObject, RealizePalette, SelectPalette, SaveDC, SetWindowOrgEx, RestoreDC, LineTo, MoveToEx, DPtoLP, Rectangle, SetROP2, SetViewportExtEx, SetWindowExtEx, SetMapMode, CreatePen, GetStockObject, DeleteDC, BitBlt, CreateCompatibleDC, CreateDIBitmap
                                                                comdlg32.dllGetSaveFileNameA, GetOpenFileNameA
                                                                MSVCP60.dll?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z, ??1_Winit@std@@QAE@XZ, ??0_Winit@std@@QAE@XZ, ??1Init@ios_base@std@@QAE@XZ, ??0Init@ios_base@std@@QAE@XZ
                                                                MSVCRT.dll_except_handler3, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, _onexit, __dllonexit, sprintf, _ftol, strncpy, strncmp, calloc, memset, strcpy, strlen, strcmp, memcpy, malloc, __set_app_type, _controlfp

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Sep 9, 2021 09:55:19.320394039 CEST4975680192.168.2.4102.182.145.130
                                                                Sep 9, 2021 09:55:19.517098904 CEST8049756102.182.145.130192.168.2.4
                                                                Sep 9, 2021 09:55:20.030451059 CEST4975680192.168.2.4102.182.145.130
                                                                Sep 9, 2021 09:55:20.224869967 CEST8049756102.182.145.130192.168.2.4
                                                                Sep 9, 2021 09:55:20.732912064 CEST4975680192.168.2.4102.182.145.130
                                                                Sep 9, 2021 09:55:20.929233074 CEST8049756102.182.145.130192.168.2.4
                                                                Sep 9, 2021 09:55:23.247458935 CEST4975780192.168.2.4173.173.254.105
                                                                Sep 9, 2021 09:55:26.249187946 CEST4975780192.168.2.4173.173.254.105
                                                                Sep 9, 2021 09:55:32.265110016 CEST4975780192.168.2.4173.173.254.105
                                                                Sep 9, 2021 09:55:47.975023985 CEST497608080192.168.2.464.207.182.168
                                                                Sep 9, 2021 09:55:50.985471010 CEST497608080192.168.2.464.207.182.168
                                                                Sep 9, 2021 09:55:56.985920906 CEST497608080192.168.2.464.207.182.168
                                                                Sep 9, 2021 09:56:12.008944988 CEST498218080192.168.2.451.89.199.141
                                                                Sep 9, 2021 09:56:15.190628052 CEST498218080192.168.2.451.89.199.141
                                                                Sep 9, 2021 09:56:21.191226006 CEST498218080192.168.2.451.89.199.141
                                                                Sep 9, 2021 09:56:36.087708950 CEST498308080192.168.2.4167.114.153.111
                                                                Sep 9, 2021 09:56:39.083719015 CEST498308080192.168.2.4167.114.153.111
                                                                Sep 9, 2021 09:56:45.099435091 CEST498308080192.168.2.4167.114.153.111
                                                                Sep 9, 2021 09:56:59.574043989 CEST4983580192.168.2.4173.63.222.65
                                                                Sep 9, 2021 09:57:02.569618940 CEST4983580192.168.2.4173.63.222.65
                                                                Sep 9, 2021 09:57:08.572415113 CEST4983580192.168.2.4173.63.222.65

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Sep 9, 2021 09:54:58.557748079 CEST5453153192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:54:58.592333078 CEST53545318.8.8.8192.168.2.4
                                                                Sep 9, 2021 09:55:29.906896114 CEST4971453192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:55:29.942843914 CEST53497148.8.8.8192.168.2.4
                                                                Sep 9, 2021 09:55:50.276916981 CEST5802853192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:55:50.315480947 CEST53580288.8.8.8192.168.2.4
                                                                Sep 9, 2021 09:55:51.136742115 CEST5309753192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:55:51.187266111 CEST53530978.8.8.8192.168.2.4
                                                                Sep 9, 2021 09:55:51.637093067 CEST4925753192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:55:51.669800043 CEST53492578.8.8.8192.168.2.4
                                                                Sep 9, 2021 09:55:52.034501076 CEST6238953192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:55:52.072707891 CEST53623898.8.8.8192.168.2.4
                                                                Sep 9, 2021 09:55:52.388864994 CEST4991053192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:55:52.430005074 CEST53499108.8.8.8192.168.2.4
                                                                Sep 9, 2021 09:55:52.527801991 CEST5585453192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:55:52.562875986 CEST53558548.8.8.8192.168.2.4
                                                                Sep 9, 2021 09:55:53.071188927 CEST6454953192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:55:53.103707075 CEST53645498.8.8.8192.168.2.4
                                                                Sep 9, 2021 09:55:53.594732046 CEST6315353192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:55:53.628133059 CEST53631538.8.8.8192.168.2.4
                                                                Sep 9, 2021 09:55:54.490654945 CEST5299153192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:55:54.517533064 CEST53529918.8.8.8192.168.2.4
                                                                Sep 9, 2021 09:55:55.228970051 CEST5370053192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:55:55.271924019 CEST53537008.8.8.8192.168.2.4
                                                                Sep 9, 2021 09:55:55.979166031 CEST5172653192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:55:56.014950991 CEST53517268.8.8.8192.168.2.4
                                                                Sep 9, 2021 09:56:08.602910995 CEST5679453192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:56:08.634823084 CEST53567948.8.8.8192.168.2.4
                                                                Sep 9, 2021 09:56:42.445132971 CEST5653453192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:56:42.482462883 CEST53565348.8.8.8192.168.2.4
                                                                Sep 9, 2021 09:56:44.449928045 CEST5662753192.168.2.48.8.8.8
                                                                Sep 9, 2021 09:56:44.485619068 CEST53566278.8.8.8192.168.2.4

                                                                Code Manipulations

                                                                Statistics

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: 0TOEtGJHN8.exe PID: 6232 Parent PID: 5772

                                                                General

                                                                Start time:09:55:03
                                                                Start date:09/09/2021
                                                                Path:C:\Users\user\Desktop\0TOEtGJHN8.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\0TOEtGJHN8.exe'
                                                                Imagebase:0x400000
                                                                File size:364544 bytes
                                                                MD5 hash:3639D17C4944743AC5C70C4E1BD30178
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.667325990.0000000002B60000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.667365539.0000000002BA4000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.667403377.0000000002F51000.00000020.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Analysis Process: svchost.exe PID: 2804 Parent PID: 568

                                                                General

                                                                Start time:09:55:03
                                                                Start date:09/09/2021
                                                                Path:C:\Windows\System32\svchost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
                                                                Imagebase:0x7ff6eb840000
                                                                File size:51288 bytes
                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: signdrv.exe PID: 6516 Parent PID: 6232

                                                                General

                                                                Start time:09:55:04
                                                                Start date:09/09/2021
                                                                Path:C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe
                                                                Imagebase:0x400000
                                                                File size:364544 bytes
                                                                MD5 hash:3639D17C4944743AC5C70C4E1BD30178
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.926653493.0000000000E30000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.927258349.0000000002DD1000.00000020.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.927204458.0000000002D94000.00000004.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Analysis Process: svchost.exe PID: 6544 Parent PID: 568

                                                                General

                                                                Start time:09:55:04
                                                                Start date:09/09/2021
                                                                Path:C:\Windows\System32\svchost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
                                                                Imagebase:0x7ff6eb840000
                                                                File size:51288 bytes
                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                Has elevated privileges:true
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: svchost.exe PID: 1020 Parent PID: 568

                                                                General

                                                                Start time:09:55:12
                                                                Start date:09/09/2021
                                                                Path:C:\Windows\System32\svchost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                Imagebase:0x7ff6eb840000
                                                                File size:51288 bytes
                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: svchost.exe PID: 6948 Parent PID: 568

                                                                General

                                                                Start time:09:55:30
                                                                Start date:09/09/2021
                                                                Path:C:\Windows\System32\svchost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                Imagebase:0x7ff6eb840000
                                                                File size:51288 bytes
                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: svchost.exe PID: 6964 Parent PID: 568

                                                                General

                                                                Start time:09:55:40
                                                                Start date:09/09/2021
                                                                Path:C:\Windows\System32\svchost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                Imagebase:0x7ff6eb840000
                                                                File size:51288 bytes
                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: svchost.exe PID: 3228 Parent PID: 568

                                                                General

                                                                Start time:09:55:48
                                                                Start date:09/09/2021
                                                                Path:C:\Windows\System32\svchost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                Imagebase:0x7ff6eb840000
                                                                File size:51288 bytes
                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >