Windows Analysis Report 0TOEtGJHN8.exe

Overview

General Information

Sample Name: 0TOEtGJHN8.exe
Analysis ID: 480340
MD5: 3639d17c4944743ac5c70c4e1bd30178
SHA1: 0047a882cf542b94754496c8cb985ab64561f72c
SHA256: 2cb7516c937ad8b9467ca417530651e34340d231c3696149c7d7b22e24ffaf9b
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Query firmware table information (likely to detect VMs)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.0TOEtGJHN8.exe.290279e.1.unpack Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["102.182.145.130:80", "173.173.254.105:80", "64.207.182.168:8080", "51.89.199.141:8080", "167.114.153.111:8080", "173.63.222.65:80", "218.147.193.146:80", "59.125.219.109:443", "172.104.97.173:8080", "190.162.215.233:80", "68.115.186.26:80", "78.188.106.53:443", "190.240.194.77:443", "24.133.106.23:80", "80.227.52.78:80", "79.137.83.50:443", "120.150.218.241:443", "62.171.142.179:8080", "194.4.58.192:7080", "62.30.7.67:443", "134.209.144.106:443", "24.230.141.169:80", "194.190.67.75:80", "172.91.208.86:80", "201.241.127.190:80", "185.94.252.104:443", "104.131.11.150:443", "71.15.245.148:8080", "176.111.60.55:8080", "172.86.188.251:8080", "194.187.133.160:443", "113.61.66.94:80", "91.211.88.52:7080", "202.134.4.216:8080", "154.91.33.137:443", "74.40.205.197:443", "87.106.139.101:8080", "66.76.12.94:8080", "139.59.60.244:8080", "112.185.64.233:80", "85.105.111.166:80", "74.208.45.104:8080", "94.230.70.6:80", "49.3.224.99:8080", "119.59.116.21:8080", "182.208.30.18:443", "184.180.181.202:80", "47.36.140.164:80", "186.70.56.94:443", "187.161.206.24:80", "102.182.93.220:80", "201.171.244.130:80", "190.12.119.180:443", "89.121.205.18:80", "110.145.77.103:80", "172.105.13.66:443", "108.46.29.236:80", "49.50.209.131:80", "75.143.247.51:80", "137.59.187.107:8080", "188.219.31.12:80", "61.33.119.226:443", "209.141.54.221:7080", "95.213.236.64:8080", "120.150.60.189:80", "190.164.104.62:80", "186.74.215.34:80", "139.99.158.11:443", "61.19.246.238:443", "121.7.31.214:80", "88.153.35.32:80", "5.39.91.110:7080", "123.142.37.166:80", "50.245.107.73:443", "95.9.5.93:80", "37.139.21.175:8080", "157.245.99.39:8080", "217.123.207.149:80", "72.186.136.247:443", "115.94.207.99:443", "202.141.243.254:443", "78.24.219.147:8080", "97.82.79.83:80", "217.20.166.178:7080", "203.153.216.189:7080", "220.245.198.194:80", "168.235.67.138:7080", "110.142.236.207:80", "162.241.140.129:8080", "76.175.162.101:80", "27.114.9.93:80", "24.178.90.49:80", "202.134.4.211:8080", "123.176.25.234:80", "61.76.222.210:80", "109.116.245.80:80", "139.162.60.124:8080", "190.108.228.27:443", "94.23.237.171:443", "2.58.16.89:8080", "37.179.204.33:80", "96.245.227.43:80", "216.139.123.119:80", "89.216.122.92:80", "37.187.72.193:8080", "74.214.230.200:80", "93.147.212.206:80", "103.86.49.11:8080", "174.106.122.139:80", "138.68.87.218:443", "118.83.154.64:443", "200.116.145.225:443", "94.200.114.161:80", "62.75.141.82:80", "121.124.124.40:7080", "176.113.52.6:443", "24.137.76.62:80", "41.185.28.84:8080", "50.91.114.38:80", "46.105.131.79:8080", "109.74.5.95:8080", "67.170.250.203:443"]}
Multi AV Scanner detection for submitted file
Source: 0TOEtGJHN8.exe Virustotal: Detection: 85% Perma Link
Source: 0TOEtGJHN8.exe Metadefender: Detection: 45% Perma Link
Source: 0TOEtGJHN8.exe ReversingLabs: Detection: 88%
Antivirus / Scanner detection for submitted sample
Source: 0TOEtGJHN8.exe Avira: detected
Machine Learning detection for sample
Source: 0TOEtGJHN8.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap, 3_2_02AA2290
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 3_2_02AA2650
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptDuplicateHash, 3_2_02AA1FB0

Compliance:

barindex
Uses 32bit PE files
Source: 0TOEtGJHN8.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_029C38F0
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 3_2_02AA38F0

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 102.182.145.130:80
Source: Malware configuration extractor IPs: 173.173.254.105:80
Source: Malware configuration extractor IPs: 64.207.182.168:8080
Source: Malware configuration extractor IPs: 51.89.199.141:8080
Source: Malware configuration extractor IPs: 167.114.153.111:8080
Source: Malware configuration extractor IPs: 173.63.222.65:80
Source: Malware configuration extractor IPs: 218.147.193.146:80
Source: Malware configuration extractor IPs: 59.125.219.109:443
Source: Malware configuration extractor IPs: 172.104.97.173:8080
Source: Malware configuration extractor IPs: 190.162.215.233:80
Source: Malware configuration extractor IPs: 68.115.186.26:80
Source: Malware configuration extractor IPs: 78.188.106.53:443
Source: Malware configuration extractor IPs: 190.240.194.77:443
Source: Malware configuration extractor IPs: 24.133.106.23:80
Source: Malware configuration extractor IPs: 80.227.52.78:80
Source: Malware configuration extractor IPs: 79.137.83.50:443
Source: Malware configuration extractor IPs: 120.150.218.241:443
Source: Malware configuration extractor IPs: 62.171.142.179:8080
Source: Malware configuration extractor IPs: 194.4.58.192:7080
Source: Malware configuration extractor IPs: 62.30.7.67:443
Source: Malware configuration extractor IPs: 134.209.144.106:443
Source: Malware configuration extractor IPs: 24.230.141.169:80
Source: Malware configuration extractor IPs: 194.190.67.75:80
Source: Malware configuration extractor IPs: 172.91.208.86:80
Source: Malware configuration extractor IPs: 201.241.127.190:80
Source: Malware configuration extractor IPs: 185.94.252.104:443
Source: Malware configuration extractor IPs: 104.131.11.150:443
Source: Malware configuration extractor IPs: 71.15.245.148:8080
Source: Malware configuration extractor IPs: 176.111.60.55:8080
Source: Malware configuration extractor IPs: 172.86.188.251:8080
Source: Malware configuration extractor IPs: 194.187.133.160:443
Source: Malware configuration extractor IPs: 113.61.66.94:80
Source: Malware configuration extractor IPs: 91.211.88.52:7080
Source: Malware configuration extractor IPs: 202.134.4.216:8080
Source: Malware configuration extractor IPs: 154.91.33.137:443
Source: Malware configuration extractor IPs: 74.40.205.197:443
Source: Malware configuration extractor IPs: 87.106.139.101:8080
Source: Malware configuration extractor IPs: 66.76.12.94:8080
Source: Malware configuration extractor IPs: 139.59.60.244:8080
Source: Malware configuration extractor IPs: 112.185.64.233:80
Source: Malware configuration extractor IPs: 85.105.111.166:80
Source: Malware configuration extractor IPs: 74.208.45.104:8080
Source: Malware configuration extractor IPs: 94.230.70.6:80
Source: Malware configuration extractor IPs: 49.3.224.99:8080
Source: Malware configuration extractor IPs: 119.59.116.21:8080
Source: Malware configuration extractor IPs: 182.208.30.18:443
Source: Malware configuration extractor IPs: 184.180.181.202:80
Source: Malware configuration extractor IPs: 47.36.140.164:80
Source: Malware configuration extractor IPs: 186.70.56.94:443
Source: Malware configuration extractor IPs: 187.161.206.24:80
Source: Malware configuration extractor IPs: 102.182.93.220:80
Source: Malware configuration extractor IPs: 201.171.244.130:80
Source: Malware configuration extractor IPs: 190.12.119.180:443
Source: Malware configuration extractor IPs: 89.121.205.18:80
Source: Malware configuration extractor IPs: 110.145.77.103:80
Source: Malware configuration extractor IPs: 172.105.13.66:443
Source: Malware configuration extractor IPs: 108.46.29.236:80
Source: Malware configuration extractor IPs: 49.50.209.131:80
Source: Malware configuration extractor IPs: 75.143.247.51:80
Source: Malware configuration extractor IPs: 137.59.187.107:8080
Source: Malware configuration extractor IPs: 188.219.31.12:80
Source: Malware configuration extractor IPs: 61.33.119.226:443
Source: Malware configuration extractor IPs: 209.141.54.221:7080
Source: Malware configuration extractor IPs: 95.213.236.64:8080
Source: Malware configuration extractor IPs: 120.150.60.189:80
Source: Malware configuration extractor IPs: 190.164.104.62:80
Source: Malware configuration extractor IPs: 186.74.215.34:80
Source: Malware configuration extractor IPs: 139.99.158.11:443
Source: Malware configuration extractor IPs: 61.19.246.238:443
Source: Malware configuration extractor IPs: 121.7.31.214:80
Source: Malware configuration extractor IPs: 88.153.35.32:80
Source: Malware configuration extractor IPs: 5.39.91.110:7080
Source: Malware configuration extractor IPs: 123.142.37.166:80
Source: Malware configuration extractor IPs: 50.245.107.73:443
Source: Malware configuration extractor IPs: 95.9.5.93:80
Source: Malware configuration extractor IPs: 37.139.21.175:8080
Source: Malware configuration extractor IPs: 157.245.99.39:8080
Source: Malware configuration extractor IPs: 217.123.207.149:80
Source: Malware configuration extractor IPs: 72.186.136.247:443
Source: Malware configuration extractor IPs: 115.94.207.99:443
Source: Malware configuration extractor IPs: 202.141.243.254:443
Source: Malware configuration extractor IPs: 78.24.219.147:8080
Source: Malware configuration extractor IPs: 97.82.79.83:80
Source: Malware configuration extractor IPs: 217.20.166.178:7080
Source: Malware configuration extractor IPs: 203.153.216.189:7080
Source: Malware configuration extractor IPs: 220.245.198.194:80
Source: Malware configuration extractor IPs: 168.235.67.138:7080
Source: Malware configuration extractor IPs: 110.142.236.207:80
Source: Malware configuration extractor IPs: 162.241.140.129:8080
Source: Malware configuration extractor IPs: 76.175.162.101:80
Source: Malware configuration extractor IPs: 27.114.9.93:80
Source: Malware configuration extractor IPs: 24.178.90.49:80
Source: Malware configuration extractor IPs: 202.134.4.211:8080
Source: Malware configuration extractor IPs: 123.176.25.234:80
Source: Malware configuration extractor IPs: 61.76.222.210:80
Source: Malware configuration extractor IPs: 109.116.245.80:80
Source: Malware configuration extractor IPs: 139.162.60.124:8080
Source: Malware configuration extractor IPs: 190.108.228.27:443
Source: Malware configuration extractor IPs: 94.23.237.171:443
Source: Malware configuration extractor IPs: 2.58.16.89:8080
Source: Malware configuration extractor IPs: 37.179.204.33:80
Source: Malware configuration extractor IPs: 96.245.227.43:80
Source: Malware configuration extractor IPs: 216.139.123.119:80
Source: Malware configuration extractor IPs: 89.216.122.92:80
Source: Malware configuration extractor IPs: 37.187.72.193:8080
Source: Malware configuration extractor IPs: 74.214.230.200:80
Source: Malware configuration extractor IPs: 93.147.212.206:80
Source: Malware configuration extractor IPs: 103.86.49.11:8080
Source: Malware configuration extractor IPs: 174.106.122.139:80
Source: Malware configuration extractor IPs: 138.68.87.218:443
Source: Malware configuration extractor IPs: 118.83.154.64:443
Source: Malware configuration extractor IPs: 200.116.145.225:443
Source: Malware configuration extractor IPs: 94.200.114.161:80
Source: Malware configuration extractor IPs: 62.75.141.82:80
Source: Malware configuration extractor IPs: 121.124.124.40:7080
Source: Malware configuration extractor IPs: 176.113.52.6:443
Source: Malware configuration extractor IPs: 24.137.76.62:80
Source: Malware configuration extractor IPs: 41.185.28.84:8080
Source: Malware configuration extractor IPs: 50.91.114.38:80
Source: Malware configuration extractor IPs: 46.105.131.79:8080
Source: Malware configuration extractor IPs: 109.74.5.95:8080
Source: Malware configuration extractor IPs: 67.170.250.203:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HOSTER-KZ HOSTER-KZ
Source: Joe Sandbox View ASN Name: AfrihostZA AfrihostZA
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 194.4.58.192 194.4.58.192
Source: Joe Sandbox View IP Address: 95.9.5.93 95.9.5.93
Source: Joe Sandbox View IP Address: 94.200.114.161 94.200.114.161
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /VRRce6rlsw9pK/DtY9XymlLmhK7GfUco/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.125.219.109/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------vX8jXrCzouVUfgwEUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.125.219.109:443Content-Length: 4580Cache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49750 -> 64.207.182.168:8080
Source: global traffic TCP traffic: 192.168.2.5:49788 -> 51.89.199.141:8080
Source: global traffic TCP traffic: 192.168.2.5:49802 -> 167.114.153.111:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 35
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 173.63.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 173.63.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 173.63.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 218.147.193.146
Source: unknown TCP traffic detected without corresponding DNS query: 218.147.193.146
Source: unknown TCP traffic detected without corresponding DNS query: 218.147.193.146
Source: unknown TCP traffic detected without corresponding DNS query: 59.125.219.109
Source: unknown TCP traffic detected without corresponding DNS query: 59.125.219.109
Source: unknown TCP traffic detected without corresponding DNS query: 59.125.219.109
Source: unknown TCP traffic detected without corresponding DNS query: 59.125.219.109
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.97.173
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.97.173
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.97.173
Source: svchost.exe, 0000001F.00000003.578669911.00000249A9D99000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001F.00000003.578669911.00000249A9D99000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001F.00000003.578669911.00000249A9D99000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001F.00000003.578669911.00000249A9D99000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTit equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTit equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTit equals www.youtube.com (Youtube)
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: mfnetsrc.exe, 00000003.00000003.389444928.0000000003183000.00000004.00000001.sdmp String found in binary or memory: http://102.182.145.130/Zffxf
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp String found in binary or memory: http://102.182.145.130/ZffxffN/UUQGAqPKLO/
Source: mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp String found in binary or memory: http://102.182.145.130/ZffxffN/UUQGAqPKLO/r
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp String found in binary or memory: http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/
Source: mfnetsrc.exe, 00000003.00000003.593894510.0000000003182000.00000004.00000001.sdmp String found in binary or memory: http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/A
Source: mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp String found in binary or memory: http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/b4ILIf/Q8rZVqkkq/rDnmG2Ans/
Source: mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp String found in binary or memory: http://172.104.97.173:8080/NrjO6cKOEtsgnTfdu/DdqP4I6wYv/OEK9fq/iwQk9ak8yU1H9c63AU/
Source: mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp String found in binary or memory: http://172.104.97.173:8080/NrjO6cKOEtsgnTfdu/DdqP4I6wYv/OEK9fq/iwQk9ak8yU1H9c63AU/lication/octet-str
Source: mfnetsrc.exe, 00000003.00000002.643371598.0000000002BC6000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/
Source: mfnetsrc.exe, 00000003.00000002.643371598.0000000002BC6000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/t
Source: mfnetsrc.exe, 00000003.00000003.389444928.0000000003183000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/u
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp, mfnetsrc.exe, 00000003.00000003.593894510.0000000003182000.00000004.00000001.sdmp String found in binary or memory: http://173.63.222.65/VQIMkjZKFdAVmy/
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp String found in binary or memory: http://173.63.222.65/VQIMkjZKFdAVmy/be209e2c34a9550b8LMEM
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp String found in binary or memory: http://218.147.193.146/GJXuLUUeqrq95alY1u/oD6pJ15oDS4/Z4M9h0lWKV4FEH0yB/k3vm9W8xS/TW0iKm9TEcJ7gRi0P/
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp String found in binary or memory: http://51.89.199.141:8080/7zUrbHAgoGBYLL/SfmOyzopGPV6GjKjz/2Kjj2o/
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp String found in binary or memory: http://51.89.199.141:8080/7zUrbHAgoGBYLL/SfmOyzopGPV6GjKjz/2Kjj2o/r7Gp
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp String found in binary or memory: http://59.125.219.109:443/VRRce6rlsw9pK/DtY9XymlLmhK7GfUco/
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp String found in binary or memory: http://64.207.182.168:8080/OQYP1ogFQccmQuTysw1/v0tPhparrkDhC/NKHirfkcd6IUp4b2kRd/qhg8GSGX1b4ILIf/Q8r
Source: svchost.exe, 00000008.00000002.535480278.0000026188A8B000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.599966953.00000249A9D00000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000008.00000002.535270378.0000026188A11000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.599866160.00000249A94EB000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000C.00000002.305156857.00000222E6C13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577751494.00000249A9D99000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000C.00000003.304857438.00000222E6C5A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.305240035.00000222E6C5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000002.305240035.00000222E6C5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.304841010.00000222E6C47000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.305240035.00000222E6C5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000003.304878671.00000222E6C40000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000003.304878671.00000222E6C40000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.305258030.00000222E6C5E000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000003.304857438.00000222E6C5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000002.305258030.00000222E6C5E000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000002.305258030.00000222E6C5E000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000002.305266612.00000222E6C62000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.304857438.00000222E6C5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.283049058.00000222E6C31000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.305156857.00000222E6C13000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.283049058.00000222E6C31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.304894765.00000222E6C56000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.283049058.00000222E6C31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000002.305209467.00000222E6C3A000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000003.304841010.00000222E6C47000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: svchost.exe, 0000001F.00000003.572380552.00000249A9DB7000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.572491250.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.572338438.00000249A9D95000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: unknown HTTP traffic detected: POST /VRRce6rlsw9pK/DtY9XymlLmhK7GfUco/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.125.219.109/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------vX8jXrCzouVUfgwEUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.125.219.109:443Content-Length: 4580Cache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: 0TOEtGJHN8.exe, 00000000.00000002.249119862.0000000000F2A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 3.2.mfnetsrc.exe.29f279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.29c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.290279e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.mfnetsrc.exe.2aa0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.290279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.290052e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.mfnetsrc.exe.29f279e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.mfnetsrc.exe.29f052e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.mfnetsrc.exe.29f052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.290052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.642790111.0000000002A34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.642626999.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.249721472.0000000002944000.00000004.00000001.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 3_2_02AA2650

System Summary:

barindex
Uses 32bit PE files
Source: 0TOEtGJHN8.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe File deleted: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe File created: C:\Windows\SysWOW64\keyiso\ Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C8240 0_2_029C8240
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C3BA0 0_2_029C3BA0
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C3D10 0_2_029C3D10
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C6530 0_2_029C6530
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C3F20 0_2_029C3F20
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C7740 0_2_029C7740
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C1C70 0_2_029C1C70
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02905ABE 0_2_02905ABE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029092DE 0_2_029092DE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_0290573E 0_2_0290573E
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029058AE 0_2_029058AE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029080CE 0_2_029080CE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_0290380E 0_2_0290380E
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02917069 0_2_02917069
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02909DDE 0_2_02909DDE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA8240 3_2_02AA8240
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA3BA0 3_2_02AA3BA0
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA3F20 3_2_02AA3F20
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA6530 3_2_02AA6530
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA3D10 3_2_02AA3D10
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA1C70 3_2_02AA1C70
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA7740 3_2_02AA7740
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_029F5ABE 3_2_029F5ABE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_029F92DE 3_2_029F92DE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_029F573E 3_2_029F573E
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_029F58AE 3_2_029F58AE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_029F80CE 3_2_029F80CE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_029F380E 3_2_029F380E
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02A07069 3_2_02A07069
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_029F9DDE 3_2_029F9DDE
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Process Stats: CPU usage > 98%
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: 0TOEtGJHN8.exe Virustotal: Detection: 85%
Source: 0TOEtGJHN8.exe Metadefender: Detection: 45%
Source: 0TOEtGJHN8.exe ReversingLabs: Detection: 88%
Source: 0TOEtGJHN8.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\0TOEtGJHN8.exe 'C:\Users\user\Desktop\0TOEtGJHN8.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Process created: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe C:\Windows\SysWOW64\keyiso\mfnetsrc.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Process created: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@20/10@0/100
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle, 0_2_029C87D0
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_029C5070
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification, 3_2_02AA4CB0
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2592:120:WilError_01
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C5D90 push ecx; mov dword ptr [esp], 0000B2E0h 0_2_029C5D91
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C5EA0 push ecx; mov dword ptr [esp], 0000A3FDh 0_2_029C5EA1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C5CD0 push ecx; mov dword ptr [esp], 00001CE1h 0_2_029C5CD1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C5DC0 push ecx; mov dword ptr [esp], 000089FAh 0_2_029C5DC1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C5DF0 push ecx; mov dword ptr [esp], 0000AAF5h 0_2_029C5DF1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C5EF0 push ecx; mov dword ptr [esp], 0000669Ch 0_2_029C5EF1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C5E10 push ecx; mov dword ptr [esp], 0000F5B3h 0_2_029C5E11
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C5D00 push ecx; mov dword ptr [esp], 00001F9Eh 0_2_029C5D01
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C5D20 push ecx; mov dword ptr [esp], 0000C5A1h 0_2_029C5D21
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C5F20 push ecx; mov dword ptr [esp], 0000E36Ch 0_2_029C5F21
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C5D50 push ecx; mov dword ptr [esp], 00006847h 0_2_029C5D51
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02923E9C push ebx; iretd 0_2_02923EAF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02923E9C push FFFFFF95h; iretd 0_2_02923EF1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02907A8E push ecx; mov dword ptr [esp], 0000669Ch 0_2_02907A8F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02907ABE push ecx; mov dword ptr [esp], 0000E36Ch 0_2_02907ABF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02907A3E push ecx; mov dword ptr [esp], 0000A3FDh 0_2_02907A3F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_0290789E push ecx; mov dword ptr [esp], 00001F9Eh 0_2_0290789F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029078BE push ecx; mov dword ptr [esp], 0000C5A1h 0_2_029078BF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029078EE push ecx; mov dword ptr [esp], 00006847h 0_2_029078EF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_0290786E push ecx; mov dword ptr [esp], 00001CE1h 0_2_0290786F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_0290798E push ecx; mov dword ptr [esp], 0000AAF5h 0_2_0290798F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_0291858F push edi; iretd 0_2_029185A1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029079AE push ecx; mov dword ptr [esp], 0000F5B3h 0_2_029079AF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029239D9 push ss; iretd 0_2_029239DE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_0290792E push ecx; mov dword ptr [esp], 0000B2E0h 0_2_0290792F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_0290795E push ecx; mov dword ptr [esp], 000089FAh 0_2_0290795F
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA5EA0 push ecx; mov dword ptr [esp], 0000A3FDh 3_2_02AA5EA1
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA5D90 push ecx; mov dword ptr [esp], 0000B2E0h 3_2_02AA5D91
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA5DF0 push ecx; mov dword ptr [esp], 0000AAF5h 3_2_02AA5DF1
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA5EF0 push ecx; mov dword ptr [esp], 0000669Ch 3_2_02AA5EF1
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA5DC0 push ecx; mov dword ptr [esp], 000089FAh 3_2_02AA5DC1
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02941030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02941030

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Executable created and started: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe PE file moved: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe File opened: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\svchost.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior

Malware Analysis System Evasion:

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\System32\svchost.exe System information queried: FirmwareTableInformation Jump to behavior
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5652 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4640 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1860 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_029C5070
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_029C38F0
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 3_2_02AA38F0
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000008.00000002.535436324.0000026188A64000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.599879058.00000249A94FA000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000E.00000002.641504241.0000014ADA891000.00000004.00000001.sdmp Binary or memory string: VMware7,1
Source: svchost.exe, 00000004.00000002.640210864.000001B725202000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.535370026.0000026188A4E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.599866160.00000249A94EB000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000E.00000002.641504241.0000014ADA891000.00000004.00000001.sdmp Binary or memory string: VMware, Inc.ed
Source: svchost.exe, 00000004.00000002.640316593.000001B725228000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.640557549.000001EC0AE65000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.640340368.000001F95402A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02941030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02941030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C36B0 _snwprintf,GetProcessHeap,DeleteFileW,DeleteFileW, 0_2_029C36B0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C3F20 mov eax, dword ptr fs:[00000030h] 0_2_029C3F20
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C4E20 mov eax, dword ptr fs:[00000030h] 0_2_029C4E20
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02905ABE mov eax, dword ptr fs:[00000030h] 0_2_02905ABE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02900456 mov eax, dword ptr fs:[00000030h] 0_2_02900456
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029069BE mov eax, dword ptr fs:[00000030h] 0_2_029069BE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_0290095E mov eax, dword ptr fs:[00000030h] 0_2_0290095E
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_02941030 mov eax, dword ptr fs:[00000030h] 0_2_02941030
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA3F20 mov eax, dword ptr fs:[00000030h] 3_2_02AA3F20
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA4E20 mov eax, dword ptr fs:[00000030h] 3_2_02AA4E20
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_029F5ABE mov eax, dword ptr fs:[00000030h] 3_2_029F5ABE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_029F0456 mov eax, dword ptr fs:[00000030h] 3_2_029F0456
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_029F69BE mov eax, dword ptr fs:[00000030h] 3_2_029F69BE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_029F095E mov eax, dword ptr fs:[00000030h] 3_2_029F095E
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02A31030 mov eax, dword ptr fs:[00000030h] 3_2_02A31030
Source: mfnetsrc.exe, 00000003.00000002.642411104.00000000015E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: mfnetsrc.exe, 00000003.00000002.642411104.00000000015E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: mfnetsrc.exe, 00000003.00000002.642411104.00000000015E0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: mfnetsrc.exe, 00000003.00000002.642411104.00000000015E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: mfnetsrc.exe, 00000003.00000002.642411104.00000000015E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe Code function: 0_2_029C7EC0 _snwprintf,GetProcessHeap,SetFileInformationByHandle,SetFileInformationByHandle,GetSystemTimeAsFileTime,CreateFileW,CreateFileW,CloseHandle, 0_2_029C7EC0
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe Code function: 3_2_02AA5360 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 3_2_02AA5360

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000E.00000002.642858503.0000014ADB16D000.00000004.00000001.sdmp Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 0000000F.00000002.640571004.000001D477629000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 3.2.mfnetsrc.exe.29f279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.29c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.290279e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.mfnetsrc.exe.2aa0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.290279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.290052e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.mfnetsrc.exe.29f279e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.mfnetsrc.exe.29f052e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.mfnetsrc.exe.29f052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0TOEtGJHN8.exe.290052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.642790111.0000000002A34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.642626999.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.249721472.0000000002944000.00000004.00000001.sdmp, type: MEMORY