Windows Analysis Report 0TOEtGJHN8.exe

AV Detection:

Found malware configuration

Source: 0.2.0TOEtGJHN8.exe.290279e.1.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["102.182.145.130:80", "173.173.254.105:80", "64.207.182.168:8080", "51.89.199.141:8080", "167.114.153.111:8080", "173.63.222.65:80", "218.147.193.146:80", "59.125.219.109:443", "172.104.97.173:8080", "190.162.215.233:80", "68.115.186.26:80", "78.188.106.53:443", "190.240.194.77:443", "24.133.106.23:80", "80.227.52.78:80", "79.137.83.50:443", "120.150.218.241:443", "62.171.142.179:8080", "194.4.58.192:7080", "62.30.7.67:443", "134.209.144.106:443", "24.230.141.169:80", "194.190.67.75:80", "172.91.208.86:80", "201.241.127.190:80", "185.94.252.104:443", "104.131.11.150:443", "71.15.245.148:8080", "176.111.60.55:8080", "172.86.188.251:8080", "194.187.133.160:443", "113.61.66.94:80", "91.211.88.52:7080", "202.134.4.216:8080", "154.91.33.137:443", "74.40.205.197:443", "87.106.139.101:8080", "66.76.12.94:8080", "139.59.60.244:8080", "112.185.64.233:80", "85.105.111.166:80", "74.208.45.104:8080", "94.230.70.6:80", "49.3.224.99:8080", "119.59.116.21:8080", "182.208.30.18:443", "184.180.181.202:80", "47.36.140.164:80", "186.70.56.94:443", "187.161.206.24:80", "102.182.93.220:80", "201.171.244.130:80", "190.12.119.180:443", "89.121.205.18:80", "110.145.77.103:80", "172.105.13.66:443", "108.46.29.236:80", "49.50.209.131:80", "75.143.247.51:80", "137.59.187.107:8080", "188.219.31.12:80", "61.33.119.226:443", "209.141.54.221:7080", "95.213.236.64:8080", "120.150.60.189:80", "190.164.104.62:80", "186.74.215.34:80", "139.99.158.11:443", "61.19.246.238:443", "121.7.31.214:80", "88.153.35.32:80", "5.39.91.110:7080", "123.142.37.166:80", "50.245.107.73:443", "95.9.5.93:80", "37.139.21.175:8080", "157.245.99.39:8080", "217.123.207.149:80", "72.186.136.247:443", "115.94.207.99:443", "202.141.243.254:443", "78.24.219.147:8080", "97.82.79.83:80", "217.20.166.178:7080", "203.153.216.189:7080", "220.245.198.194:80", "168.235.67.138:7080", "110.142.236.207:80", "162.241.140.129:8080", "76.175.162.101:80", "27.114.9.93:80", "24.178.90.49:80", "202.134.4.211:8080", "123.176.25.234:80", "61.76.222.210:80", "109.116.245.80:80", "139.162.60.124:8080", "190.108.228.27:443", "94.23.237.171:443", "2.58.16.89:8080", "37.179.204.33:80", "96.245.227.43:80", "216.139.123.119:80", "89.216.122.92:80", "37.187.72.193:8080", "74.214.230.200:80", "93.147.212.206:80", "103.86.49.11:8080", "174.106.122.139:80", "138.68.87.218:443", "118.83.154.64:443", "200.116.145.225:443", "94.200.114.161:80", "62.75.141.82:80", "121.124.124.40:7080", "176.113.52.6:443", "24.137.76.62:80", "41.185.28.84:8080", "50.91.114.38:80", "46.105.131.79:8080", "109.74.5.95:8080", "67.170.250.203:443"]}

Multi AV Scanner detection for submitted file

Source: 0TOEtGJHN8.exe	Virustotal: Detection: 85%			Perma Link
Source: 0TOEtGJHN8.exe	Metadefender: Detection: 45%			Perma Link
Source: 0TOEtGJHN8.exe	ReversingLabs: Detection: 88%

Antivirus / Scanner detection for submitted sample

Source: 0TOEtGJHN8.exe

Avira: detected

Machine Learning detection for sample

Source: 0TOEtGJHN8.exe

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,		3_2_02AA2290
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,		3_2_02AA2650
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptDuplicateHash,		3_2_02AA1FB0

Compliance:

Uses 32bit PE files

Source: 0TOEtGJHN8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,		0_2_029C38F0
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,		3_2_02AA38F0

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 102.182.145.130:80
Source: Malware configuration extractor	IPs: 173.173.254.105:80
Source: Malware configuration extractor	IPs: 64.207.182.168:8080
Source: Malware configuration extractor	IPs: 51.89.199.141:8080
Source: Malware configuration extractor	IPs: 167.114.153.111:8080
Source: Malware configuration extractor	IPs: 173.63.222.65:80
Source: Malware configuration extractor	IPs: 218.147.193.146:80
Source: Malware configuration extractor	IPs: 59.125.219.109:443
Source: Malware configuration extractor	IPs: 172.104.97.173:8080
Source: Malware configuration extractor	IPs: 190.162.215.233:80
Source: Malware configuration extractor	IPs: 68.115.186.26:80
Source: Malware configuration extractor	IPs: 78.188.106.53:443
Source: Malware configuration extractor	IPs: 190.240.194.77:443
Source: Malware configuration extractor	IPs: 24.133.106.23:80
Source: Malware configuration extractor	IPs: 80.227.52.78:80
Source: Malware configuration extractor	IPs: 79.137.83.50:443
Source: Malware configuration extractor	IPs: 120.150.218.241:443
Source: Malware configuration extractor	IPs: 62.171.142.179:8080
Source: Malware configuration extractor	IPs: 194.4.58.192:7080
Source: Malware configuration extractor	IPs: 62.30.7.67:443
Source: Malware configuration extractor	IPs: 134.209.144.106:443
Source: Malware configuration extractor	IPs: 24.230.141.169:80
Source: Malware configuration extractor	IPs: 194.190.67.75:80
Source: Malware configuration extractor	IPs: 172.91.208.86:80
Source: Malware configuration extractor	IPs: 201.241.127.190:80
Source: Malware configuration extractor	IPs: 185.94.252.104:443
Source: Malware configuration extractor	IPs: 104.131.11.150:443
Source: Malware configuration extractor	IPs: 71.15.245.148:8080
Source: Malware configuration extractor	IPs: 176.111.60.55:8080
Source: Malware configuration extractor	IPs: 172.86.188.251:8080
Source: Malware configuration extractor	IPs: 194.187.133.160:443
Source: Malware configuration extractor	IPs: 113.61.66.94:80
Source: Malware configuration extractor	IPs: 91.211.88.52:7080
Source: Malware configuration extractor	IPs: 202.134.4.216:8080
Source: Malware configuration extractor	IPs: 154.91.33.137:443
Source: Malware configuration extractor	IPs: 74.40.205.197:443
Source: Malware configuration extractor	IPs: 87.106.139.101:8080
Source: Malware configuration extractor	IPs: 66.76.12.94:8080
Source: Malware configuration extractor	IPs: 139.59.60.244:8080
Source: Malware configuration extractor	IPs: 112.185.64.233:80
Source: Malware configuration extractor	IPs: 85.105.111.166:80
Source: Malware configuration extractor	IPs: 74.208.45.104:8080
Source: Malware configuration extractor	IPs: 94.230.70.6:80
Source: Malware configuration extractor	IPs: 49.3.224.99:8080
Source: Malware configuration extractor	IPs: 119.59.116.21:8080
Source: Malware configuration extractor	IPs: 182.208.30.18:443
Source: Malware configuration extractor	IPs: 184.180.181.202:80
Source: Malware configuration extractor	IPs: 47.36.140.164:80
Source: Malware configuration extractor	IPs: 186.70.56.94:443
Source: Malware configuration extractor	IPs: 187.161.206.24:80
Source: Malware configuration extractor	IPs: 102.182.93.220:80
Source: Malware configuration extractor	IPs: 201.171.244.130:80
Source: Malware configuration extractor	IPs: 190.12.119.180:443
Source: Malware configuration extractor	IPs: 89.121.205.18:80
Source: Malware configuration extractor	IPs: 110.145.77.103:80
Source: Malware configuration extractor	IPs: 172.105.13.66:443
Source: Malware configuration extractor	IPs: 108.46.29.236:80
Source: Malware configuration extractor	IPs: 49.50.209.131:80
Source: Malware configuration extractor	IPs: 75.143.247.51:80
Source: Malware configuration extractor	IPs: 137.59.187.107:8080
Source: Malware configuration extractor	IPs: 188.219.31.12:80
Source: Malware configuration extractor	IPs: 61.33.119.226:443
Source: Malware configuration extractor	IPs: 209.141.54.221:7080
Source: Malware configuration extractor	IPs: 95.213.236.64:8080
Source: Malware configuration extractor	IPs: 120.150.60.189:80
Source: Malware configuration extractor	IPs: 190.164.104.62:80
Source: Malware configuration extractor	IPs: 186.74.215.34:80
Source: Malware configuration extractor	IPs: 139.99.158.11:443
Source: Malware configuration extractor	IPs: 61.19.246.238:443
Source: Malware configuration extractor	IPs: 121.7.31.214:80
Source: Malware configuration extractor	IPs: 88.153.35.32:80
Source: Malware configuration extractor	IPs: 5.39.91.110:7080
Source: Malware configuration extractor	IPs: 123.142.37.166:80
Source: Malware configuration extractor	IPs: 50.245.107.73:443
Source: Malware configuration extractor	IPs: 95.9.5.93:80
Source: Malware configuration extractor	IPs: 37.139.21.175:8080
Source: Malware configuration extractor	IPs: 157.245.99.39:8080
Source: Malware configuration extractor	IPs: 217.123.207.149:80
Source: Malware configuration extractor	IPs: 72.186.136.247:443
Source: Malware configuration extractor	IPs: 115.94.207.99:443
Source: Malware configuration extractor	IPs: 202.141.243.254:443
Source: Malware configuration extractor	IPs: 78.24.219.147:8080
Source: Malware configuration extractor	IPs: 97.82.79.83:80
Source: Malware configuration extractor	IPs: 217.20.166.178:7080
Source: Malware configuration extractor	IPs: 203.153.216.189:7080
Source: Malware configuration extractor	IPs: 220.245.198.194:80
Source: Malware configuration extractor	IPs: 168.235.67.138:7080
Source: Malware configuration extractor	IPs: 110.142.236.207:80
Source: Malware configuration extractor	IPs: 162.241.140.129:8080
Source: Malware configuration extractor	IPs: 76.175.162.101:80
Source: Malware configuration extractor	IPs: 27.114.9.93:80
Source: Malware configuration extractor	IPs: 24.178.90.49:80
Source: Malware configuration extractor	IPs: 202.134.4.211:8080
Source: Malware configuration extractor	IPs: 123.176.25.234:80
Source: Malware configuration extractor	IPs: 61.76.222.210:80
Source: Malware configuration extractor	IPs: 109.116.245.80:80
Source: Malware configuration extractor	IPs: 139.162.60.124:8080
Source: Malware configuration extractor	IPs: 190.108.228.27:443
Source: Malware configuration extractor	IPs: 94.23.237.171:443
Source: Malware configuration extractor	IPs: 2.58.16.89:8080
Source: Malware configuration extractor	IPs: 37.179.204.33:80
Source: Malware configuration extractor	IPs: 96.245.227.43:80
Source: Malware configuration extractor	IPs: 216.139.123.119:80
Source: Malware configuration extractor	IPs: 89.216.122.92:80
Source: Malware configuration extractor	IPs: 37.187.72.193:8080
Source: Malware configuration extractor	IPs: 74.214.230.200:80
Source: Malware configuration extractor	IPs: 93.147.212.206:80
Source: Malware configuration extractor	IPs: 103.86.49.11:8080
Source: Malware configuration extractor	IPs: 174.106.122.139:80
Source: Malware configuration extractor	IPs: 138.68.87.218:443
Source: Malware configuration extractor	IPs: 118.83.154.64:443
Source: Malware configuration extractor	IPs: 200.116.145.225:443
Source: Malware configuration extractor	IPs: 94.200.114.161:80
Source: Malware configuration extractor	IPs: 62.75.141.82:80
Source: Malware configuration extractor	IPs: 121.124.124.40:7080
Source: Malware configuration extractor	IPs: 176.113.52.6:443
Source: Malware configuration extractor	IPs: 24.137.76.62:80
Source: Malware configuration extractor	IPs: 41.185.28.84:8080
Source: Malware configuration extractor	IPs: 50.91.114.38:80
Source: Malware configuration extractor	IPs: 46.105.131.79:8080
Source: Malware configuration extractor	IPs: 109.74.5.95:8080
Source: Malware configuration extractor	IPs: 67.170.250.203:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HOSTER-KZ HOSTER-KZ
Source: Joe Sandbox View	ASN Name: AfrihostZA AfrihostZA

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 194.4.58.192 194.4.58.192
Source: Joe Sandbox View	IP Address: 95.9.5.93 95.9.5.93
Source: Joe Sandbox View	IP Address: 94.200.114.161 94.200.114.161

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST /VRRce6rlsw9pK/DtY9XymlLmhK7GfUco/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.125.219.109/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------vX8jXrCzouVUfgwEUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.125.219.109:443Content-Length: 4580Cache-Control: no-cache

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.5:49750 -> 64.207.182.168:8080
Source: global traffic	TCP traffic: 192.168.2.5:49788 -> 51.89.199.141:8080
Source: global traffic	TCP traffic: 192.168.2.5:49802 -> 167.114.153.111:8080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 35

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown	TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown	TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown	TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown	TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown	TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown	TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown	TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown	TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 173.63.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 173.63.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 173.63.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 218.147.193.146
Source: unknown	TCP traffic detected without corresponding DNS query: 218.147.193.146
Source: unknown	TCP traffic detected without corresponding DNS query: 218.147.193.146
Source: unknown	TCP traffic detected without corresponding DNS query: 59.125.219.109
Source: unknown	TCP traffic detected without corresponding DNS query: 59.125.219.109
Source: unknown	TCP traffic detected without corresponding DNS query: 59.125.219.109
Source: unknown	TCP traffic detected without corresponding DNS query: 59.125.219.109
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.97.173
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.97.173
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.97.173

Found strings which match to known social media urls

Source: svchost.exe, 0000001F.00000003.578669911.00000249A9D99000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001F.00000003.578669911.00000249A9D99000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001F.00000003.578669911.00000249A9D99000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001F.00000003.578669911.00000249A9D99000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTit equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTit equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTit equals www.youtube.com (Youtube)
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac

URLs found in memory or binary data

Source: mfnetsrc.exe, 00000003.00000003.389444928.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: http://102.182.145.130/Zffxf
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://102.182.145.130/ZffxffN/UUQGAqPKLO/
Source: mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp	String found in binary or memory: http://102.182.145.130/ZffxffN/UUQGAqPKLO/r
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/
Source: mfnetsrc.exe, 00000003.00000003.593894510.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/A
Source: mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/b4ILIf/Q8rZVqkkq/rDnmG2Ans/
Source: mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp	String found in binary or memory: http://172.104.97.173:8080/NrjO6cKOEtsgnTfdu/DdqP4I6wYv/OEK9fq/iwQk9ak8yU1H9c63AU/
Source: mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp	String found in binary or memory: http://172.104.97.173:8080/NrjO6cKOEtsgnTfdu/DdqP4I6wYv/OEK9fq/iwQk9ak8yU1H9c63AU/lication/octet-str
Source: mfnetsrc.exe, 00000003.00000002.643371598.0000000002BC6000.00000004.00000001.sdmp	String found in binary or memory: http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/
Source: mfnetsrc.exe, 00000003.00000002.643371598.0000000002BC6000.00000004.00000001.sdmp	String found in binary or memory: http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/t
Source: mfnetsrc.exe, 00000003.00000003.389444928.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/u
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp, mfnetsrc.exe, 00000003.00000003.593894510.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://173.63.222.65/VQIMkjZKFdAVmy/
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://173.63.222.65/VQIMkjZKFdAVmy/be209e2c34a9550b8LMEM
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://218.147.193.146/GJXuLUUeqrq95alY1u/oD6pJ15oDS4/Z4M9h0lWKV4FEH0yB/k3vm9W8xS/TW0iKm9TEcJ7gRi0P/
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://51.89.199.141:8080/7zUrbHAgoGBYLL/SfmOyzopGPV6GjKjz/2Kjj2o/
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://51.89.199.141:8080/7zUrbHAgoGBYLL/SfmOyzopGPV6GjKjz/2Kjj2o/r7Gp
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://59.125.219.109:443/VRRce6rlsw9pK/DtY9XymlLmhK7GfUco/
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://64.207.182.168:8080/OQYP1ogFQccmQuTysw1/v0tPhparrkDhC/NKHirfkcd6IUp4b2kRd/qhg8GSGX1b4ILIf/Q8r
Source: svchost.exe, 00000008.00000002.535480278.0000026188A8B000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.599966953.00000249A9D00000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000008.00000002.535270378.0000026188A11000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.599866160.00000249A94EB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000C.00000002.305156857.00000222E6C13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577751494.00000249A9D99000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000C.00000003.304857438.00000222E6C5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.305240035.00000222E6C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000002.305240035.00000222E6C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.304841010.00000222E6C47000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.305240035.00000222E6C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000003.304878671.00000222E6C40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000003.304878671.00000222E6C40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.305258030.00000222E6C5E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000003.304857438.00000222E6C5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000002.305258030.00000222E6C5E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000002.305258030.00000222E6C5E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000002.305266612.00000222E6C62000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.304857438.00000222E6C5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.283049058.00000222E6C31000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp	String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.305156857.00000222E6C13000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.283049058.00000222E6C31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.304894765.00000222E6C56000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.283049058.00000222E6C31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000002.305209467.00000222E6C3A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000003.304841010.00000222E6C47000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy
Source: svchost.exe, 0000001F.00000003.572380552.00000249A9DB7000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.572491250.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.572338438.00000249A9D95000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /VRRce6rlsw9pK/DtY9XymlLmhK7GfUco/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.125.219.109/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------vX8jXrCzouVUfgwEUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.125.219.109:443Content-Length: 4580Cache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: 0TOEtGJHN8.exe, 00000000.00000002.249119862.0000000000F2A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 3.2.mfnetsrc.exe.29f279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.29c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.2aa0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.29f279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.29f052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.29f052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.642790111.0000000002A34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.642626999.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249721472.0000000002944000.00000004.00000001.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Code function: 3_2_02AA2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,

3_2_02AA2650

System Summary:

Uses 32bit PE files

Source: 0TOEtGJHN8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Deletes files inside the Windows folder

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

File deleted: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

File created: C:\Windows\SysWOW64\keyiso\

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C8240		0_2_029C8240
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C3BA0		0_2_029C3BA0
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C3D10		0_2_029C3D10
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C6530		0_2_029C6530
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C3F20		0_2_029C3F20
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C7740		0_2_029C7740
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C1C70		0_2_029C1C70
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02905ABE		0_2_02905ABE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029092DE		0_2_029092DE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290573E		0_2_0290573E
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029058AE		0_2_029058AE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029080CE		0_2_029080CE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290380E		0_2_0290380E
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02917069		0_2_02917069
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02909DDE		0_2_02909DDE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA8240		3_2_02AA8240
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA3BA0		3_2_02AA3BA0
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA3F20		3_2_02AA3F20
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA6530		3_2_02AA6530
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA3D10		3_2_02AA3D10
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA1C70		3_2_02AA1C70
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA7740		3_2_02AA7740
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F5ABE		3_2_029F5ABE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F92DE		3_2_029F92DE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F573E		3_2_029F573E
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F58AE		3_2_029F58AE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F80CE		3_2_029F80CE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F380E		3_2_029F380E
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02A07069		3_2_02A07069
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F9DDE		3_2_029F9DDE

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Process Stats: CPU usage > 98%

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll			Jump to behavior

Sample is known by Antivirus

Source: 0TOEtGJHN8.exe	Virustotal: Detection: 85%
Source: 0TOEtGJHN8.exe	Metadefender: Detection: 45%
Source: 0TOEtGJHN8.exe	ReversingLabs: Detection: 88%

PE file has an executable .text section and no other executable section

Source: 0TOEtGJHN8.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\0TOEtGJHN8.exe 'C:\Users\user\Desktop\0TOEtGJHN8.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Process created: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe C:\Windows\SysWOW64\keyiso\mfnetsrc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Process created: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe C:\Windows\SysWOW64\keyiso\mfnetsrc.exe			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@20/10@0/100

Contains functionality to create services

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,

0_2_029C87D0

Reads ini files

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to modify services (start/stop/modify)

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Code function: 0_2_029C5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,

0_2_029C5070

Contains functionality to enum processes or threads

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Code function: 3_2_02AA4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,

3_2_02AA4CB0

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:2592:120:WilError_01

Reads the hosts file

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5D90 push ecx; mov dword ptr [esp], 0000B2E0h		0_2_029C5D91
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5EA0 push ecx; mov dword ptr [esp], 0000A3FDh		0_2_029C5EA1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5CD0 push ecx; mov dword ptr [esp], 00001CE1h		0_2_029C5CD1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5DC0 push ecx; mov dword ptr [esp], 000089FAh		0_2_029C5DC1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5DF0 push ecx; mov dword ptr [esp], 0000AAF5h		0_2_029C5DF1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5EF0 push ecx; mov dword ptr [esp], 0000669Ch		0_2_029C5EF1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5E10 push ecx; mov dword ptr [esp], 0000F5B3h		0_2_029C5E11
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5D00 push ecx; mov dword ptr [esp], 00001F9Eh		0_2_029C5D01
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5D20 push ecx; mov dword ptr [esp], 0000C5A1h		0_2_029C5D21
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5F20 push ecx; mov dword ptr [esp], 0000E36Ch		0_2_029C5F21
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5D50 push ecx; mov dword ptr [esp], 00006847h		0_2_029C5D51
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02923E9C push ebx; iretd		0_2_02923EAF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02923E9C push FFFFFF95h; iretd		0_2_02923EF1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02907A8E push ecx; mov dword ptr [esp], 0000669Ch		0_2_02907A8F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02907ABE push ecx; mov dword ptr [esp], 0000E36Ch		0_2_02907ABF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02907A3E push ecx; mov dword ptr [esp], 0000A3FDh		0_2_02907A3F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290789E push ecx; mov dword ptr [esp], 00001F9Eh		0_2_0290789F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029078BE push ecx; mov dword ptr [esp], 0000C5A1h		0_2_029078BF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029078EE push ecx; mov dword ptr [esp], 00006847h		0_2_029078EF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290786E push ecx; mov dword ptr [esp], 00001CE1h		0_2_0290786F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290798E push ecx; mov dword ptr [esp], 0000AAF5h		0_2_0290798F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0291858F push edi; iretd		0_2_029185A1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029079AE push ecx; mov dword ptr [esp], 0000F5B3h		0_2_029079AF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029239D9 push ss; iretd		0_2_029239DE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290792E push ecx; mov dword ptr [esp], 0000B2E0h		0_2_0290792F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290795E push ecx; mov dword ptr [esp], 000089FAh		0_2_0290795F
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA5EA0 push ecx; mov dword ptr [esp], 0000A3FDh		3_2_02AA5EA1
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA5D90 push ecx; mov dword ptr [esp], 0000B2E0h		3_2_02AA5D91
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA5DF0 push ecx; mov dword ptr [esp], 0000AAF5h		3_2_02AA5DF1
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA5EF0 push ecx; mov dword ptr [esp], 0000669Ch		3_2_02AA5EF1
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA5DC0 push ecx; mov dword ptr [esp], 000089FAh		3_2_02AA5DC1

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Code function: 0_2_02941030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

0_2_02941030

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Executable created and started: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Jump to behavior

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

PE file moved: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

File opened: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\svchost.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Malware Analysis System Evasion:

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 5652	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4640	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1860	Thread sleep time: -30000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,

0_2_029C5070

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries a list of all running processes

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,		0_2_029C38F0
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,		3_2_02AA38F0

Program exit points

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	API call chain: ExitProcess graph end node

Checks the free space of harddrives

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: svchost.exe, 00000008.00000002.535436324.0000026188A64000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.599879058.00000249A94FA000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000E.00000002.641504241.0000014ADA891000.00000004.00000001.sdmp	Binary or memory string: VMware7,1
Source: svchost.exe, 00000004.00000002.640210864.000001B725202000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.535370026.0000026188A4E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.599866160.00000249A94EB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000E.00000002.641504241.0000014ADA891000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.ed
Source: svchost.exe, 00000004.00000002.640316593.000001B725228000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.640557549.000001EC0AE65000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.640340368.000001F95402A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Code function: 0_2_02941030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

0_2_02941030

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Code function: 0_2_029C36B0 _snwprintf,GetProcessHeap,DeleteFileW,DeleteFileW,

0_2_029C36B0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C3F20 mov eax, dword ptr fs:[00000030h]		0_2_029C3F20
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C4E20 mov eax, dword ptr fs:[00000030h]		0_2_029C4E20
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02905ABE mov eax, dword ptr fs:[00000030h]		0_2_02905ABE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02900456 mov eax, dword ptr fs:[00000030h]		0_2_02900456
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029069BE mov eax, dword ptr fs:[00000030h]		0_2_029069BE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290095E mov eax, dword ptr fs:[00000030h]		0_2_0290095E
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02941030 mov eax, dword ptr fs:[00000030h]		0_2_02941030
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA3F20 mov eax, dword ptr fs:[00000030h]		3_2_02AA3F20
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA4E20 mov eax, dword ptr fs:[00000030h]		3_2_02AA4E20
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F5ABE mov eax, dword ptr fs:[00000030h]		3_2_029F5ABE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F0456 mov eax, dword ptr fs:[00000030h]		3_2_029F0456
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F69BE mov eax, dword ptr fs:[00000030h]		3_2_029F69BE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F095E mov eax, dword ptr fs:[00000030h]		3_2_029F095E
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02A31030 mov eax, dword ptr fs:[00000030h]		3_2_02A31030

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: mfnetsrc.exe, 00000003.00000002.642411104.00000000015E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mfnetsrc.exe, 00000003.00000002.642411104.00000000015E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: mfnetsrc.exe, 00000003.00000002.642411104.00000000015E0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: mfnetsrc.exe, 00000003.00000002.642411104.00000000015E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: mfnetsrc.exe, 00000003.00000002.642411104.00000000015E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Code function: 0_2_029C7EC0 _snwprintf,GetProcessHeap,SetFileInformationByHandle,SetFileInformationByHandle,GetSystemTimeAsFileTime,CreateFileW,CreateFileW,CloseHandle,

0_2_029C7EC0

Contains functionality to query windows version

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Code function: 3_2_02AA5360 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,

3_2_02AA5360

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 0000000E.00000002.642858503.0000014ADB16D000.00000004.00000001.sdmp	Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 0000000F.00000002.640571004.000001D477629000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 3.2.mfnetsrc.exe.29f279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.29c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.2aa0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.29f279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.29f052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.29f052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.642790111.0000000002A34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.642626999.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249721472.0000000002944000.00000004.00000001.sdmp, type: MEMORY