Analysis Report BnJvVt951o.exe

Overview

General Information

Sample Name: BnJvVt951o.exe
Analysis ID: 382018
MD5: ae03a6f8fb74d401b403647d28e21574
SHA1: 6ee320cedc77499f5df9ae9c93ef42c0d91f3ce8
SHA256: 1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: BnJvVt951o.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: BnJvVt951o.exe Virustotal: Detection: 84% Perma Link
Source: BnJvVt951o.exe ReversingLabs: Detection: 96%
Machine Learning detection for sample
Source: BnJvVt951o.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.bushexa.exe.f4053f.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.BnJvVt951o.exe.22c053f.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.BnJvVt951o.exe.22d053f.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.bushexa.exe.f4053f.2.unpack Avira: Label: TR/Patched.Ren.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F5207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash, 6_2_00F5207B
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F51FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 6_2_00F51FFC
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F51F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext, 6_2_00F51F75
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F51F11 CryptExportKey, 6_2_00F51F11
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F51F56 CryptGetHashParam, 6_2_00F51F56
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F5215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash, 6_2_00F5215A

Compliance:

barindex
Uses 32bit PE files
Source: BnJvVt951o.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: c:\Users\User\Desktop\2003\modeless\Release\modeless.pdb source: BnJvVt951o.exe
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_0043A377
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, 0_2_0043AE3F
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 1_2_0043A377
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, 1_2_0043AE3F

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49746 -> 209.141.41.136:8080
Source: global traffic TCP traffic: 192.168.2.4:49762 -> 104.236.246.93:8080
Source: global traffic TCP traffic: 192.168.2.4:49768 -> 198.199.114.69:8080
Source: global traffic TCP traffic: 192.168.2.4:49771 -> 152.89.236.214:8080
Source: global traffic TCP traffic: 192.168.2.4:49772 -> 87.106.136.232:8080
Source: global traffic TCP traffic: 192.168.2.4:49773 -> 178.210.51.222:8080
Source: global traffic TCP traffic: 192.168.2.4:49775 -> 201.251.43.69:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.199.114.69 198.199.114.69
Source: Joe Sandbox View IP Address: 104.236.246.93 104.236.246.93
Source: Joe Sandbox View IP Address: 104.236.246.93 104.236.246.93
Source: unknown TCP traffic detected without corresponding DNS query: 45.33.54.74
Source: unknown TCP traffic detected without corresponding DNS query: 45.33.54.74
Source: unknown TCP traffic detected without corresponding DNS query: 45.33.54.74
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.41.136
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.41.136
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.41.136
Source: unknown TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown TCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknown TCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknown TCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.236.214
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.236.214
Source: unknown TCP traffic detected without corresponding DNS query: 152.89.236.214
Source: unknown TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown TCP traffic detected without corresponding DNS query: 115.78.95.230
Source: unknown TCP traffic detected without corresponding DNS query: 115.78.95.230
Source: unknown TCP traffic detected without corresponding DNS query: 115.78.95.230
Source: unknown TCP traffic detected without corresponding DNS query: 201.251.43.69
Source: unknown TCP traffic detected without corresponding DNS query: 201.251.43.69
Source: unknown TCP traffic detected without corresponding DNS query: 201.251.43.69
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F51383 InternetReadFile, 6_2_00F51383
Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z||.||646da06c-a69a-4aff-bcc8-3f5a349348ca||1152921505693336001||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z||.||646da06c-a69a-4aff-bcc8-3f5a349348ca||1152921505693336001||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",E equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",E equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000F.00000003.737786853.0000022BADD64000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI",lh., equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000003.737786853.0000022BADD64000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI",lh., equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000F.00000003.731906019.0000022BADD7D000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z||.||1ad32855-590c-405c-8d49-1a557bf58211||1152921505693277189||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.729528651.0000022BADD8E000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000F.00000003.729528651.0000022BADD8E000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000F.00000003.729528651.0000022BADD8E000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000F.00000003.731935379.0000022BADD64000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z||.||1ad32855-590c-405c-8d49-1a557bf58211||1152921505693277189||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000000F.00000003.731926795.0000022BADD5C000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":137845484,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt","PackageId":"9f0b5036-3839-33f0-1d64-45190b6cc3d7-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.backu
Source: bushexa.exe, 00000006.00000002.1033372208.0000000000199000.00000004.00000001.sdmp String found in binary or memory: http://201.251.43.69/usbccid/iplk/pdf/merge/
Source: svchost.exe, 0000000F.00000003.739088462.0000022BADD42000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 0000000F.00000003.739088462.0000022BADD42000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000000F.00000003.739088462.0000022BADD42000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 0000000F.00000003.739088462.0000022BADD42000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_0043814C
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0044C334 GetKeyState,GetKeyState,GetKeyState, 0_2_0044C334
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 0_2_004450BA
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, 0_2_0042F3FF
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState, 1_2_0043814C
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0044C334 GetKeyState,GetKeyState,GetKeyState, 1_2_0044C334
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 1_2_004450BA
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, 1_2_0042F3FF
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00449796 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent, 1_2_00449796
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00433B4D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 1_2_00433B4D

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojan
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F5C11B 6_2_00F5C11B
Yara detected Emotet
Source: Yara match File source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.bushexa.exe.f4053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BnJvVt951o.exe.22c053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BnJvVt951o.exe.22d053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.bushexa.exe.f4053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F51F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext, 6_2_00F51F75

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 6.2.bushexa.exe.f4053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 1.2.BnJvVt951o.exe.22c053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.BnJvVt951o.exe.22d053f.2.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 5.2.bushexa.exe.f4053f.2.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Contains functionality to delete services
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F5C2E7 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle, 6_2_00F5C2E7
Contains functionality to launch a process as a different user
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F51D2B CreateProcessAsUserW,CreateProcessW, 6_2_00F51D2B
Creates files inside the system directory
Source: C:\Windows\SysWOW64\bushexa.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\BnJvVt951o.exe File deleted: C:\Windows\SysWOW64\bushexa.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0041CB04 0_2_0041CB04
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004351C1 0_2_004351C1
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00419288 0_2_00419288
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0041CB04 1_2_0041CB04
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_004351C1 1_2_004351C1
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00419288 1_2_00419288
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 5_2_00F430E4 5_2_00F430E4
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 5_2_00F430E8 5_2_00F430E8
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 5_2_00F428C1 5_2_00F428C1
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 5_2_00F637A5 5_2_00F637A5
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 5_2_00F637A9 5_2_00F637A9
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 5_2_00F62F82 5_2_00F62F82
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F430E4 6_2_00F430E4
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F430E8 6_2_00F430E8
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F428C1 6_2_00F428C1
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F537A5 6_2_00F537A5
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F537A9 6_2_00F537A9
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F52F82 6_2_00F52F82
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 00401AB4 appears 35 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 0041C3B9 appears 42 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 004334D7 appears 59 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 0044D589 appears 65 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 00419937 appears 8618 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 00419918 appears 400 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 0041923C appears 91 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 0041E3BF appears 51 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: String function: 0044D5AF appears 36 times
Sample file is different than original file name gathered from version info
Source: BnJvVt951o.exe, 00000000.00000002.641090215.0000000002200000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs BnJvVt951o.exe
Source: BnJvVt951o.exe, 00000001.00000002.654977559.0000000002B10000.00000002.00000001.sdmp Binary or memory string: originalfilename vs BnJvVt951o.exe
Source: BnJvVt951o.exe, 00000001.00000002.654977559.0000000002B10000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs BnJvVt951o.exe
Source: BnJvVt951o.exe, 00000001.00000002.654810432.0000000002A10000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs BnJvVt951o.exe
Uses 32bit PE files
Source: BnJvVt951o.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 6.2.bushexa.exe.f4053f.1.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 6.2.bushexa.exe.f4053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 1.2.BnJvVt951o.exe.22c053f.1.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.BnJvVt951o.exe.22c053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.BnJvVt951o.exe.22d053f.2.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.BnJvVt951o.exe.22d053f.2.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 5.2.bushexa.exe.f4053f.2.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 5.2.bushexa.exe.f4053f.2.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: classification engine Classification label: mal96.bank.troj.evad.winEXE@10/0@0/10
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0043F939 __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA, 1_2_0043F939
Source: C:\Windows\SysWOW64\bushexa.exe Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 6_2_00F5C3B7
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 5_2_00F61943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 5_2_00F61943
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00416DE7 __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance, 0_2_00416DE7
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004315F6 __EH_prolog,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource, 0_2_004315F6
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F5C3B7 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 6_2_00F5C3B7
Source: C:\Users\user\Desktop\BnJvVt951o.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\MB16D1E68
Source: C:\Users\user\Desktop\BnJvVt951o.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\IB16D1E68
Source: C:\Windows\SysWOW64\bushexa.exe Mutant created: \BaseNamedObjects\Global\IB16D1E68
Source: BnJvVt951o.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BnJvVt951o.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: BnJvVt951o.exe Virustotal: Detection: 84%
Source: BnJvVt951o.exe ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\bushexa.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: unknown Process created: C:\Users\user\Desktop\BnJvVt951o.exe 'C:\Users\user\Desktop\BnJvVt951o.exe'
Source: C:\Users\user\Desktop\BnJvVt951o.exe Process created: C:\Users\user\Desktop\BnJvVt951o.exe --132eeff2
Source: unknown Process created: C:\Windows\SysWOW64\bushexa.exe C:\Windows\SysWOW64\bushexa.exe
Source: C:\Windows\SysWOW64\bushexa.exe Process created: C:\Windows\SysWOW64\bushexa.exe --22f27ebc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\BnJvVt951o.exe Process created: C:\Users\user\Desktop\BnJvVt951o.exe --132eeff2 Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe Process created: C:\Windows\SysWOW64\bushexa.exe --22f27ebc Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: BnJvVt951o.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Users\User\Desktop\2003\modeless\Release\modeless.pdb source: BnJvVt951o.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00432655 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 0_2_00432655
PE file contains an invalid checksum
Source: BnJvVt951o.exe Static PE information: real checksum: 0x7ffed should be: 0x800e5
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00419277 push ecx; ret 0_2_00419287
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004193A0 push eax; ret 0_2_004193B4
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004193A0 push eax; ret 0_2_004193DC
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00419277 push ecx; ret 1_2_00419287
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_004193A0 push eax; ret 1_2_004193B4
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_004193A0 push eax; ret 1_2_004193DC
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00419918 push eax; ret 1_2_00419936
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 5_2_00F4E190 push BB276B01h; ret 5_2_00F4E1C2
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F4E190 push BB276B01h; ret 6_2_00F4E1C2

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\SysWOW64\bushexa.exe Executable created and started: C:\Windows\SysWOW64\bushexa.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\BnJvVt951o.exe PE file moved: C:\Windows\SysWOW64\bushexa.exe Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F5C3B7 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 6_2_00F5C3B7

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\BnJvVt951o.exe File opened: C:\Windows\SysWOW64\bushexa.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004121E0 IsIconic,SetFileSecurityW,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 0_2_004121E0
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0043ED39 GetParent,GetParent,IsIconic,GetParent, 0_2_0043ED39
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00412F6C IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00412F6C
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004415C2 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA, 0_2_004415C2
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_004121E0 IsIconic,SetFileSecurityW,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 1_2_004121E0
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0043ED39 GetParent,GetParent,IsIconic,GetParent, 1_2_0043ED39
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00412F6C IsIconic,GetWindowPlacement,GetWindowRect, 1_2_00412F6C
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_004415C2 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA, 1_2_004415C2
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00449839 IsWindowVisible,IsIconic, 1_2_00449839
Source: C:\Users\user\Desktop\BnJvVt951o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\bushexa.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\BnJvVt951o.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Windows\SysWOW64\bushexa.exe Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle, 6_2_00F5C11B
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\bushexa.exe API coverage: 9.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 4492 Thread sleep time: -30000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\BnJvVt951o.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_0043A377
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, 0_2_0043AE3F
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 1_2_0043A377
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, 1_2_0043AE3F
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00419156 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 0_2_00419156
Source: svchost.exe, 00000007.00000002.665296056.0000027608E70000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.709817759.00000218D4260000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.723300627.000001BF11A80000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.749546426.0000022BAE400000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 0000000F.00000002.748940503.0000022BAD4FA000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000F.00000002.748929810.0000022BAD4EB000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.665296056.0000027608E70000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.709817759.00000218D4260000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.723300627.000001BF11A80000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.749546426.0000022BAE400000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000007.00000002.665296056.0000027608E70000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.709817759.00000218D4260000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.723300627.000001BF11A80000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.749546426.0000022BAE400000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000F.00000002.748881279.0000022BAD4A5000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW`
Source: svchost.exe, 00000007.00000002.665296056.0000027608E70000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.709817759.00000218D4260000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.723300627.000001BF11A80000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.749546426.0000022BAE400000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\bushexa.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\bushexa.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\bushexa.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\bushexa.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00432655 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 0_2_00432655
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00401B93 mov eax, dword ptr fs:[00000030h] 1_2_00401B93
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00401BA2 mov eax, dword ptr fs:[00000030h] 1_2_00401BA2
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 5_2_00F40467 mov eax, dword ptr fs:[00000030h] 5_2_00F40467
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 5_2_00F40C0C mov eax, dword ptr fs:[00000030h] 5_2_00F40C0C
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 5_2_00F41743 mov eax, dword ptr fs:[00000030h] 5_2_00F41743
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 5_2_00F612CD mov eax, dword ptr fs:[00000030h] 5_2_00F612CD
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 5_2_00F61E04 mov eax, dword ptr fs:[00000030h] 5_2_00F61E04
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F40467 mov eax, dword ptr fs:[00000030h] 6_2_00F40467
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F40C0C mov eax, dword ptr fs:[00000030h] 6_2_00F40C0C
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F41743 mov eax, dword ptr fs:[00000030h] 6_2_00F41743
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F512CD mov eax, dword ptr fs:[00000030h] 6_2_00F512CD
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 6_2_00F51E04 mov eax, dword ptr fs:[00000030h] 6_2_00F51E04
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 5_2_00F614F2 GetProcessHeap,RtlAllocateHeap, 5_2_00F614F2
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00420406 SetUnhandledExceptionFilter, 0_2_00420406
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0042041A SetUnhandledExceptionFilter, 0_2_0042041A
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00420406 SetUnhandledExceptionFilter, 1_2_00420406
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_0042041A SetUnhandledExceptionFilter, 1_2_0042041A

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\bushexa.exe Code function: 5_2_00F4C477 cpuid 5_2_00F4C477
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoA,_strncpy, 0_2_00426F2A
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 0_2_00401069
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: _strlen,EnumSystemLocalesA, 0_2_00427449
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 0_2_00427480
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat, 0_2_0042755B
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: _strlen,EnumSystemLocalesA, 0_2_00427506
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoA,_strncpy, 1_2_00426F2A
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 1_2_00401069
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: _strlen,EnumSystemLocalesA, 1_2_00427449
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 1_2_00427480
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat, 1_2_0042755B
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: _strlen,EnumSystemLocalesA, 1_2_00427506
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoA, 1_2_00427749
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 1_2_0044D759
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 1_2_004299EE
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 1_2_00429AAA
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 1_2_00429B1E
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 1_2_00429BD1
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\BnJvVt951o.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_00420151 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00420151
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004231DB __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy, 0_2_004231DB
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_0044A5CB GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterWindowMessageA, 0_2_0044A5CB
Source: C:\Users\user\Desktop\BnJvVt951o.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.bushexa.exe.f4053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BnJvVt951o.exe.22c053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BnJvVt951o.exe.22d053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.bushexa.exe.f4053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 0_2_004514EB CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree, 0_2_004514EB
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_004514EB CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree, 1_2_004514EB
Source: C:\Users\user\Desktop\BnJvVt951o.exe Code function: 1_2_00451B05 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree, 1_2_00451B05
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 382018 Sample: BnJvVt951o.exe Startdate: 05/04/2021 Architecture: WINDOWS Score: 96 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 2 other signatures 2->36 6 bushexa.exe 4 2->6         started        9 BnJvVt951o.exe 4 2->9         started        11 svchost.exe 1 2->11         started        14 3 other processes 2->14 process3 dnsIp4 40 Detected Emotet e-Banking trojan 6->40 42 Found evasive API chain (may stop execution after checking mutex) 6->42 44 Drops executables to the windows directory (C:\Windows) and starts them 6->44 16 bushexa.exe 19 6->16         started        19 BnJvVt951o.exe 5 9->19         started        28 192.168.2.1 unknown unknown 11->28 signatures5 process6 dnsIp7 22 115.78.95.230, 443 VIETEL-AS-APViettelGroupVN Viet Nam 16->22 24 209.141.41.136, 8080 PONYNETUS United States 16->24 26 7 other IPs or domains 16->26 38 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->38 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
152.89.236.214
unknown Germany
31400 ACCELERATED-ITDE false
198.199.114.69
unknown United States
14061 DIGITALOCEAN-ASNUS false
104.236.246.93
unknown United States
14061 DIGITALOCEAN-ASNUS false
178.210.51.222
unknown Russian Federation
43727 KVANT-TELECOMRU false
115.78.95.230
unknown Viet Nam
7552 VIETEL-AS-APViettelGroupVN false
201.251.43.69
unknown Argentina
27927 CoopPopulardeElecObrasyServiciosPubdeSantaRosa false
45.33.54.74
unknown United States
63949 LINODE-APLinodeLLCUS false
209.141.41.136
unknown United States
53667 PONYNETUS false
87.106.136.232
unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE false

Private

IP
192.168.2.1