Analysis Report BnJvVt951o

Overview

General Information

Sample Name: BnJvVt951o (renamed file extension from none to exe)
Analysis ID: 382018
MD5: ae03a6f8fb74d401b403647d28e21574
SHA1: 6ee320cedc77499f5df9ae9c93ef42c0d91f3ce8
SHA256: 1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: BnJvVt951o.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: BnJvVt951o.exe Virustotal: Detection: 84% Perma Link
Source: BnJvVt951o.exe ReversingLabs: Detection: 96%
Machine Learning detection for sample
Source: BnJvVt951o.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.BnJvVt951o.exe.238053f.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.BnJvVt951o.exe.239053f.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 3.2.browserdialog.exe.62053f.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.browserdialog.exe.54053f.1.unpack Avira: Label: TR/Patched.Ren.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0239207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash, 1_2_0239207B
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0239215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash, 1_2_0239215A
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_02391F11 CryptExportKey, 1_2_02391F11
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_02391F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext, 1_2_02391F75
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_02391F56 CryptGetHashParam, 1_2_02391F56
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_02391FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 1_2_02391FFC
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: 4_2_00E0207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash, 4_2_00E0207B
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: 4_2_00E01FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 4_2_00E01FFC
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: 4_2_00E01F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext, 4_2_00E01F75
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: 4_2_00E01F11 CryptExportKey, 4_2_00E01F11
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: 4_2_00E01F56 CryptGetHashParam, 4_2_00E01F56
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: 4_2_00E0215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash, 4_2_00E0215A

Compliance:

barindex
Uses 32bit PE files
Source: BnJvVt951o.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: c:\Users\User\Desktop\2003\modeless\Release\modeless.pdb source: BnJvVt951o.exe
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_0043A377
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, 0_2_0043AE3F
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 1_2_0043A377
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, 1_2_0043AE3F

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49747 -> 209.141.41.136:8080
Source: global traffic TCP traffic: 192.168.2.4:49766 -> 104.236.246.93:8080
Source: global traffic TCP traffic: 192.168.2.4:49768 -> 198.199.114.69:8080
Source: global traffic TCP traffic: 192.168.2.4:49770 -> 152.89.236.214:8080
Source: global traffic TCP traffic: 192.168.2.4:49771 -> 87.106.136.232:8080
Source: global traffic TCP traffic: 192.168.2.4:49772 -> 178.210.51.222:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.236.246.93 104.236.246.93
Source: Joe Sandbox View IP Address: 104.236.246.93 104.236.246.93
Source: unknown TCP traffic detected without corresponding DNS query: 45.33.54.74
Source: unknown TCP traffic detected without corresponding DNS query: 45.33.54.74
Source: unknown TCP traffic detected without corresponding DNS query: 45.33.54.74
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.41.136
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.41.136
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.41.136
Source: unknown TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown TCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknown TCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknown TCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.236.214
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.236.214
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.236.214
Source: unknown TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: 4_2_00E01383 InternetReadFile, 4_2_00E01383
Source: svchost.exe, 0000000B.00000003.736686052.000002500417B000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z||.||646da06c-a69a-4aff-bcc8-3f5a349348ca||1152921505693336001||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000B.00000003.736686052.000002500417B000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z||.||646da06c-a69a-4aff-bcc8-3f5a349348ca||1152921505693336001||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000B.00000002.748319385.0000025004113000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000B.00000002.748319385.0000025004113000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000B.00000003.730865817.000002500415A000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z||.||1ad32855-590c-405c-8d49-1a557bf58211||1152921505693277189||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000000B.00000003.728117612.000002500417A000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000B.00000003.728117612.000002500417A000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000B.00000003.728117612.000002500417A000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000B.00000003.728117612.000002500417A000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000B.00000003.728117612.000002500417A000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000B.00000003.728117612.000002500417A000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000B.00000003.728325297.000002500419A000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000B.00000003.728325297.000002500419A000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000B.00000003.728325297.000002500419A000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000B.00000003.730876848.000002500416B000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z||.||1ad32855-590c-405c-8d49-1a557bf58211||1152921505693277189||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: browserdialog.exe, 00000004.00000002.902979540.0000000000199000.00000004.00000001.sdmp String found in binary or memory: http://178.210.51.222/enabled/guids/free/
Source: svchost.exe, 0000000B.00000002.748080584.00000250038C6000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 0000000B.00000002.748080584.00000250038C6000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000000B.00000002.748080584.00000250038C6000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 0000000B.00000002.748080584.00000250038C6000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 0000000B.00000003.728117612.000002500417A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.728325297.000002500419A000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000B.00000003.728117612.000002500417A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.728325297.000002500419A000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000B.00000003.727125544.0000025004155000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 0000000B.00000003.727125544.0000025004155000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 0000000B.00000003.735526851.0000025004193000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.735603672.0000025004177000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000B.00000003.735526851.0000025004193000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.735603672.0000025004177000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.735589105.0000025004166000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000B.00000003.735526851.0000025004193000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.735603672.0000025004177000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000000B.00000003.728117612.000002500417A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.728325297.000002500419A000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 0000000B.00000003.727125544.0000025004155000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 0000000B.00000003.727125544.0000025004155000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 0000000B.00000003.735526851.0000025004193000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.735603672.0000025004177000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000B.00000003.735526851.0000025004193000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.735603672.0000025004177000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_0043814C
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0044C334 GetKeyState,GetKeyState,GetKeyState, 0_2_0044C334
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 0_2_004450BA
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, 0_2_0042F3FF
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00449796 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent, 0_2_00449796
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00433B4D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_00433B4D
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState, 1_2_0043814C
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0044C334 GetKeyState,GetKeyState,GetKeyState, 1_2_0044C334
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 1_2_004450BA
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, 1_2_0042F3FF
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00449796 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent, 1_2_00449796
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00433B4D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 1_2_00433B4D

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojan
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0239C11B 1_2_0239C11B
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: 4_2_00E0C11B 4_2_00E0C11B
Yara detected Emotet
Source: Yara match File source: 00000004.00000002.903155910.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.655860929.0000000002380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.635756418.0000000002390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.654778661.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.903347367.0000000000E01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.655881251.0000000002391000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.654794849.0000000000641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.635771732.00000000023A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.browserdialog.exe.54053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BnJvVt951o.exe.238053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BnJvVt951o.exe.239053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.browserdialog.exe.62053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.browserdialog.exe.62053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BnJvVt951o.exe.238053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BnJvVt951o.exe.239053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.browserdialog.exe.54053f.1.unpack, type: UNPACKEDPE
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_02391F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext, 1_2_02391F75
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: 4_2_00E01F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext, 4_2_00E01F75

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.903155910.0000000000540000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.655860929.0000000002380000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.635756418.0000000002390000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.654778661.0000000000620000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000004.00000002.903347367.0000000000E01000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.655881251.0000000002391000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.654794849.0000000000641000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.635771732.00000000023A1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 4.2.browserdialog.exe.54053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 4.2.browserdialog.exe.54053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 1.2.BnJvVt951o.exe.238053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.BnJvVt951o.exe.239053f.2.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.browserdialog.exe.62053f.2.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.browserdialog.exe.62053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.browserdialog.exe.62053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 1.2.BnJvVt951o.exe.238053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.BnJvVt951o.exe.238053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 0.2.BnJvVt951o.exe.239053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.BnJvVt951o.exe.239053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 4.2.browserdialog.exe.54053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Contains functionality to delete services
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0239C2E7 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle, 1_2_0239C2E7
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_02391D2B CreateProcessAsUserW,CreateProcessW, 1_2_02391D2B
Creates files inside the system directory
Source: C:\Windows\SysWOW64\browserdialog.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\BnJvVt951o.exe File deleted: C:\Windows\SysWOW64\browserdialog.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0041CB04 0_2_0041CB04
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004351C1 0_2_004351C1
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00419288 0_2_00419288
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_023928C1 0_2_023928C1
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0041CB04 1_2_0041CB04
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_004351C1 1_2_004351C1
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00419288 1_2_00419288
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_023828C1 1_2_023828C1
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_023830E8 1_2_023830E8
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_023830E4 1_2_023830E4
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_023937A9 1_2_023937A9
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_023937A5 1_2_023937A5
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_02392F82 1_2_02392F82
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: 4_2_00E037A5 4_2_00E037A5
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: 4_2_00E037A9 4_2_00E037A9
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: 4_2_00E02F82 4_2_00E02F82
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 00401AB4 appears 46 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 004373E9 appears 32 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 0041C3B9 appears 58 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 004334D7 appears 66 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 0044D589 appears 86 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 00419937 appears 8618 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 0044FB2C appears 32 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 00419918 appears 494 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 0041923C appears 134 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 0041E3BF appears 80 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 0044D5AF appears 38 times
Sample file is different than original file name gathered from version info
Source: BnJvVt951o.exe, 00000000.00000002.635636987.0000000002280000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs BnJvVt951o.exe
Source: BnJvVt951o.exe, 00000001.00000002.655957221.00000000026C0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs BnJvVt951o.exe
Source: BnJvVt951o.exe, 00000001.00000002.656011259.0000000002720000.00000002.00000001.sdmp Binary or memory string: originalfilename vs BnJvVt951o.exe
Source: BnJvVt951o.exe, 00000001.00000002.656011259.0000000002720000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs BnJvVt951o.exe
Uses 32bit PE files
Source: BnJvVt951o.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000004.00000002.903155910.0000000000540000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.655860929.0000000002380000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.635756418.0000000002390000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.654778661.0000000000620000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000004.00000002.903347367.0000000000E01000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.655881251.0000000002391000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.654794849.0000000000641000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.635771732.00000000023A1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 4.2.browserdialog.exe.54053f.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 4.2.browserdialog.exe.54053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 4.2.browserdialog.exe.54053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 1.2.BnJvVt951o.exe.238053f.1.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.BnJvVt951o.exe.238053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.BnJvVt951o.exe.239053f.2.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.BnJvVt951o.exe.239053f.2.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.browserdialog.exe.62053f.2.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 3.2.browserdialog.exe.62053f.2.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.browserdialog.exe.62053f.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 3.2.browserdialog.exe.62053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.browserdialog.exe.62053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 1.2.BnJvVt951o.exe.238053f.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.BnJvVt951o.exe.238053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.BnJvVt951o.exe.238053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 0.2.BnJvVt951o.exe.239053f.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.BnJvVt951o.exe.239053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.BnJvVt951o.exe.239053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 4.2.browserdialog.exe.54053f.1.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 4.2.browserdialog.exe.54053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: classification engine Classification label: mal96.bank.troj.evad.winEXE@10/0@0/7
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0043F939 __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA, 0_2_0043F939
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 1_2_0239C3B7
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 4_2_00E0C3B7
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_02391943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 1_2_02391943
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00416DE7 __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance, 0_2_00416DE7
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004315F6 __EH_prolog,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource, 0_2_004315F6
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0239C3B7 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 1_2_0239C3B7
Source: C:\Users\user\Desktop\BnJvVt951o.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Windows\SysWOW64\browserdialog.exe Mutant created: \BaseNamedObjects\Global\I60BB53F3
Source: C:\Users\user\Desktop\BnJvVt951o.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\I60BB53F3
Source: C:\Users\user\Desktop\BnJvVt951o.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\M60BB53F3
Source: BnJvVt951o.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BnJvVt951o.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: BnJvVt951o.exe Virustotal: Detection: 84%
Source: BnJvVt951o.exe ReversingLabs: Detection: 96%
Source: unknown Process created: C:\Users\user\Desktop\BnJvVt951o.exe 'C:\Users\user\Desktop\BnJvVt951o.exe'
Source: C:\Users\user\Desktop\BnJvVt951o.exe Process created: C:\Users\user\Desktop\BnJvVt951o.exe --132eeff2
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\SysWOW64\browserdialog.exe C:\Windows\SysWOW64\browserdialog.exe
Source: C:\Windows\SysWOW64\browserdialog.exe Process created: C:\Windows\SysWOW64\browserdialog.exe --39eda026
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\BnJvVt951o.exe Process created: C:\Users\user\Desktop\BnJvVt951o.exe --132eeff2 Jump to behavior
Source: C:\Windows\SysWOW64\browserdialog.exe Process created: C:\Windows\SysWOW64\browserdialog.exe --39eda026 Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: BnJvVt951o.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Users\User\Desktop\2003\modeless\Release\modeless.pdb source: BnJvVt951o.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00432655 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 0_2_00432655
PE file contains an invalid checksum
Source: BnJvVt951o.exe Static PE information: real checksum: 0x7ffed should be: 0x800e5
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00419277 push ecx; ret 0_2_00419287
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004193A0 push eax; ret 0_2_004193B4
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004193A0 push eax; ret 0_2_004193DC
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00419918 push eax; ret 0_2_00419936
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0239E190 push BB276B01h; ret 0_2_0239E1C2
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00419277 push ecx; ret 1_2_00419287
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_004193A0 push eax; ret 1_2_004193B4
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_004193A0 push eax; ret 1_2_004193DC
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00419918 push eax; ret 1_2_00419936
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0238E190 push BB276B01h; ret 1_2_0238E1C2

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\SysWOW64\browserdialog.exe Executable created and started: C:\Windows\SysWOW64\browserdialog.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\BnJvVt951o.exe PE file moved: C:\Windows\SysWOW64\browserdialog.exe Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0239C3B7 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 1_2_0239C3B7

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\BnJvVt951o.exe File opened: C:\Windows\SysWOW64\browserdialog.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004121E0 IsIconic,SetFileSecurityW,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 0_2_004121E0
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0043ED39 GetParent,GetParent,IsIconic,GetParent, 0_2_0043ED39
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00412F6C IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00412F6C
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004415C2 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA, 0_2_004415C2
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00449839 IsWindowVisible,IsIconic, 0_2_00449839
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_004121E0 IsIconic,SetFileSecurityW,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 1_2_004121E0
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0043ED39 GetParent,GetParent,IsIconic,GetParent, 1_2_0043ED39
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00412F6C IsIconic,GetWindowPlacement,GetWindowRect, 1_2_00412F6C
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_004415C2 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA, 1_2_004415C2
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00449839 IsWindowVisible,IsIconic, 1_2_00449839
Source: C:\Users\user\Desktop\BnJvVt951o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\browserdialog.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\browserdialog.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\browserdialog.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\browserdialog.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\browserdialog.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\browserdialog.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\browserdialog.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\BnJvVt951o.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle, 1_2_0239C11B
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle, 4_2_00E0C11B
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 7160 Thread sleep time: -120000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\BnJvVt951o.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_0043A377
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, 0_2_0043AE3F
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 1_2_0043A377
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, 1_2_0043AE3F
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00419156 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 0_2_00419156
Source: svchost.exe, 00000002.00000002.646769113.000002C548540000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.697892092.00000160CD660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.713972061.0000024499490000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.748731242.0000025004800000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 0000000B.00000002.748043559.000002500388A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWp
Source: svchost.exe, 0000000B.00000002.748103746.00000250038EB000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000002.00000002.646769113.000002C548540000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.697892092.00000160CD660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.713972061.0000024499490000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.748731242.0000025004800000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000002.00000002.646769113.000002C548540000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.697892092.00000160CD660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.713972061.0000024499490000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.748731242.0000025004800000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000002.00000002.646769113.000002C548540000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.697892092.00000160CD660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.713972061.0000024499490000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.748731242.0000025004800000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\browserdialog.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\browserdialog.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\browserdialog.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00432655 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 0_2_00432655
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00401B93 mov eax, dword ptr fs:[00000030h] 0_2_00401B93
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00401BA2 mov eax, dword ptr fs:[00000030h] 0_2_00401BA2
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_02390467 mov eax, dword ptr fs:[00000030h] 0_2_02390467
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_02390C0C mov eax, dword ptr fs:[00000030h] 0_2_02390C0C
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00401B93 mov eax, dword ptr fs:[00000030h] 1_2_00401B93
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00401BA2 mov eax, dword ptr fs:[00000030h] 1_2_00401BA2
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_02380467 mov eax, dword ptr fs:[00000030h] 1_2_02380467
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_02380C0C mov eax, dword ptr fs:[00000030h] 1_2_02380C0C
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_02381743 mov eax, dword ptr fs:[00000030h] 1_2_02381743
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_023912CD mov eax, dword ptr fs:[00000030h] 1_2_023912CD
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_02391E04 mov eax, dword ptr fs:[00000030h] 1_2_02391E04
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: 4_2_00E012CD mov eax, dword ptr fs:[00000030h] 4_2_00E012CD
Source: C:\Windows\SysWOW64\browserdialog.exe Code function: 4_2_00E01E04 mov eax, dword ptr fs:[00000030h] 4_2_00E01E04
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_023914F2 GetProcessHeap,RtlAllocateHeap, 1_2_023914F2
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00420406 SetUnhandledExceptionFilter, 0_2_00420406
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0042041A SetUnhandledExceptionFilter, 0_2_0042041A
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00420406 SetUnhandledExceptionFilter, 1_2_00420406
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0042041A SetUnhandledExceptionFilter, 1_2_0042041A

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0239C477 cpuid 0_2_0239C477
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoA,_strncpy, 0_2_00426F2A
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 0_2_00401069
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: _strlen,EnumSystemLocalesA, 0_2_00427449
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 0_2_00427480
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat, 0_2_0042755B
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: _strlen,EnumSystemLocalesA, 0_2_00427506
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoA, 0_2_00427749
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 0_2_0044D759
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 0_2_004299EE
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 0_2_00429AAA
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 0_2_00429B1E
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 0_2_00429BD1
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoA,_strncpy, 1_2_00426F2A
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 1_2_00401069
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: _strlen,EnumSystemLocalesA, 1_2_00427449
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 1_2_00427480
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat, 1_2_0042755B
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: _strlen,EnumSystemLocalesA, 1_2_00427506
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoA, 1_2_00427749
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 1_2_0044D759
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 1_2_004299EE
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 1_2_00429AAA
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 1_2_00429B1E
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 1_2_00429BD1
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\BnJvVt951o.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\browserdialog.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00420151 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00420151
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004231DB __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy, 0_2_004231DB
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0044A5CB GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterWindowMessageA, 0_2_0044A5CB
Source: C:\Users\user\Desktop\BnJvVt951o.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000004.00000002.903155910.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.655860929.0000000002380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.635756418.0000000002390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.654778661.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.903347367.0000000000E01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.655881251.0000000002391000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.654794849.0000000000641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.635771732.00000000023A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.browserdialog.exe.54053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BnJvVt951o.exe.238053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BnJvVt951o.exe.239053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.browserdialog.exe.62053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.browserdialog.exe.62053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BnJvVt951o.exe.238053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BnJvVt951o.exe.239053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.browserdialog.exe.54053f.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004514EB CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree, 0_2_004514EB
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00451B05 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree, 0_2_00451B05
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_004514EB CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree, 1_2_004514EB
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00451B05 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree, 1_2_00451B05
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 382018 Sample: BnJvVt951o Startdate: 05/04/2021 Architecture: WINDOWS Score: 96 27 Malicious sample detected (through community Yara rule) 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 2 other signatures 2->33 6 browserdialog.exe 4 2->6         started        9 BnJvVt951o.exe 4 2->9         started        11 svchost.exe 1 2->11         started        13 3 other processes 2->13 process3 signatures4 37 Detected Emotet e-Banking trojan 6->37 39 Found evasive API chain (may stop execution after checking mutex) 6->39 41 Drops executables to the windows directory (C:\Windows) and starts them 6->41 15 browserdialog.exe 19 6->15         started        18 BnJvVt951o.exe 5 9->18         started        process5 dnsIp6 21 209.141.41.136, 8080 PONYNETUS United States 15->21 23 87.106.136.232, 49771, 8080 ONEANDONE-ASBrauerstrasse48DE Germany 15->23 25 5 other IPs or domains 15->25 35 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->35 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
152.89.236.214
 unknown Germany
31400 ACCELERATED-ITDE false
198.199.114.69
 unknown United States
14061 DIGITALOCEAN-ASNUS false
104.236.246.93
 unknown United States
14061 DIGITALOCEAN-ASNUS false
178.210.51.222
 unknown Russian Federation
43727 KVANT-TELECOMRU false
45.33.54.74
 unknown United States
63949 LINODE-APLinodeLLCUS false
209.141.41.136
 unknown United States
53667 PONYNETUS false
87.106.136.232
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE false