Loading ...

Play interactive tourEdit tour

Analysis Report BnJvVt951o.exe

Overview

General Information

Sample Name:BnJvVt951o.exe
Analysis ID:382018
MD5:ae03a6f8fb74d401b403647d28e21574
SHA1:6ee320cedc77499f5df9ae9c93ef42c0d91f3ce8
SHA256:1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • BnJvVt951o.exe (PID: 7148 cmdline: 'C:\Users\user\Desktop\BnJvVt951o.exe' MD5: AE03A6F8FB74D401B403647D28E21574)
    • BnJvVt951o.exe (PID: 6224 cmdline: --132eeff2 MD5: AE03A6F8FB74D401B403647D28E21574)
  • bushexa.exe (PID: 6064 cmdline: C:\Windows\SysWOW64\bushexa.exe MD5: AE03A6F8FB74D401B403647D28E21574)
    • bushexa.exe (PID: 5856 cmdline: --22f27ebc MD5: AE03A6F8FB74D401B403647D28E21574)
  • svchost.exe (PID: 900 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6996 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6060 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4164 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA F5 00 85 C0
    • 0x50d4:$snippet6: 33 C0 21 05 EC 10 F6 00 A3 E8 10 F6 00 39 05 A0 E3 F5 00 74 18 40 A3 E8 10 F6 00 83 3C C5 A0 E3 ...
    00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 2F 02 85 C0
      • 0x50d4:$snippet6: 33 C0 21 05 EC 10 30 02 A3 E8 10 30 02 39 05 A0 E3 2F 02 74 18 40 A3 E8 10 30 02 83 3C C5 A0 E3 ...
      00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.bushexa.exe.f4053f.1.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
        • 0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
        • 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
        6.2.bushexa.exe.f4053f.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          6.2.bushexa.exe.f4053f.1.unpackEmotetEmotet Payloadkevoreilly
          • 0x7ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0
          • 0x48d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
          0.2.BnJvVt951o.exe.22d053f.2.raw.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
          • 0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
          • 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
          0.2.BnJvVt951o.exe.22d053f.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 23 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: BnJvVt951o.exeAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: BnJvVt951o.exeVirustotal: Detection: 84%Perma Link
            Source: BnJvVt951o.exeReversingLabs: Detection: 96%
            Machine Learning detection for sampleShow sources
            Source: BnJvVt951o.exeJoe Sandbox ML: detected
            Source: 6.2.bushexa.exe.f4053f.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 1.2.BnJvVt951o.exe.22c053f.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 0.2.BnJvVt951o.exe.22d053f.2.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 5.2.bushexa.exe.f4053f.2.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F5207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F51FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F51F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F51F11 CryptExportKey,
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F51F56 CryptGetHashParam,
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F5215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,
            Source: BnJvVt951o.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: Binary string: c:\Users\User\Desktop\2003\modeless\Release\modeless.pdb source: BnJvVt951o.exe
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_0043AE3F lstrlenA,FindFirstFileA,FindClose,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_0043AE3F lstrlenA,FindFirstFileA,FindClose,
            Source: global trafficTCP traffic: 192.168.2.4:49746 -> 209.141.41.136:8080
            Source: global trafficTCP traffic: 192.168.2.4:49762 -> 104.236.246.93:8080
            Source: global trafficTCP traffic: 192.168.2.4:49768 -> 198.199.114.69:8080
            Source: global trafficTCP traffic: 192.168.2.4:49771 -> 152.89.236.214:8080
            Source: global trafficTCP traffic: 192.168.2.4:49772 -> 87.106.136.232:8080
            Source: global trafficTCP traffic: 192.168.2.4:49773 -> 178.210.51.222:8080
            Source: global trafficTCP traffic: 192.168.2.4:49775 -> 201.251.43.69:8080
            Source: Joe Sandbox ViewIP Address: 198.199.114.69 198.199.114.69
            Source: Joe Sandbox ViewIP Address: 104.236.246.93 104.236.246.93
            Source: Joe Sandbox ViewIP Address: 104.236.246.93 104.236.246.93
            Source: unknownTCP traffic detected without corresponding DNS query: 45.33.54.74
            Source: unknownTCP traffic detected without corresponding DNS query: 45.33.54.74
            Source: unknownTCP traffic detected without corresponding DNS query: 45.33.54.74
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.41.136
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.41.136
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.41.136
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.246.93
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.246.93
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.246.93
            Source: unknownTCP traffic detected without corresponding DNS query: 198.199.114.69
            Source: unknownTCP traffic detected without corresponding DNS query: 198.199.114.69
            Source: unknownTCP traffic detected without corresponding DNS query: 198.199.114.69
            Source: unknownTCP traffic detected without corresponding DNS query: 152.89.236.214
            Source: unknownTCP traffic detected without corresponding DNS query: 152.89.236.214
            Source: unknownTCP traffic detected without corresponding DNS query: 152.89.236.214
            Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
            Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
            Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
            Source: unknownTCP traffic detected without corresponding DNS query: 115.78.95.230
            Source: unknownTCP traffic detected without corresponding DNS query: 115.78.95.230
            Source: unknownTCP traffic detected without corresponding DNS query: 115.78.95.230
            Source: unknownTCP traffic detected without corresponding DNS query: 201.251.43.69
            Source: unknownTCP traffic detected without corresponding DNS query: 201.251.43.69
            Source: unknownTCP traffic detected without corresponding DNS query: 201.251.43.69
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F51383 InternetReadFile,
            Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
            Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
            Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z||.||646da06c-a69a-4aff-bcc8-3f5a349348ca||1152921505693336001||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
            Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z||.||646da06c-a69a-4aff-bcc8-3f5a349348ca||1152921505693336001||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
            Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",E equals www.facebook.com (Facebook)
            Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",E equals www.twitter.com (Twitter)
            Source: svchost.exe, 0000000F.00000003.737786853.0000022BADD64000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI",lh., equals www.facebook.com (Facebook)
            Source: svchost.exe, 0000000F.00000003.737786853.0000022BADD64000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI",lh., equals www.twitter.com (Twitter)
            Source: svchost.exe, 0000000F.00000003.731906019.0000022BADD7D000.00000004.00000001.sdmpString found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z||.||1ad32855-590c-405c-8d49-1a557bf58211||1152921505693277189||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
            Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
            Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
            Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
            Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
            Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
            Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
            Source: svchost.exe, 0000000F.00000003.729528651.0000022BADD8E000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
            Source: svchost.exe, 0000000F.00000003.729528651.0000022BADD8E000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
            Source: svchost.exe, 0000000F.00000003.729528651.0000022BADD8E000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
            Source: svchost.exe, 0000000F.00000003.731935379.0000022BADD64000.00000004.00000001.sdmpString found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z||.||1ad32855-590c-405c-8d49-1a557bf58211||1152921505693277189||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
            Source: svchost.exe, 0000000F.00000003.731926795.0000022BADD5C000.00000004.00000001.sdmpString found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":137845484,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt","PackageId":"9f0b5036-3839-33f0-1d64-45190b6cc3d7-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.backu
            Source: bushexa.exe, 00000006.00000002.1033372208.0000000000199000.00000004.00000001.sdmpString found in binary or memory: http://201.251.43.69/usbccid/iplk/pdf/merge/
            Source: svchost.exe, 0000000F.00000003.739088462.0000022BADD42000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: svchost.exe, 0000000F.00000003.739088462.0000022BADD42000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: svchost.exe, 0000000F.00000003.739088462.0000022BADD42000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: svchost.exe, 0000000F.00000003.739088462.0000022BADD42000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
            Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
            Source: svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/privacy
            Source: svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/terms
            Source: svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
            Source: svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
            Source: svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
            Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
            Source: svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/ca-privacy-rights
            Source: svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/do-not-sell-my-info
            Source: svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
            Source: svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_0044C334 GetKeyState,GetKeyState,GetKeyState,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_0044C334 GetKeyState,GetKeyState,GetKeyState,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_00449796 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_00433B4D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

            E-Banking Fraud:

            barindex
            Detected Emotet e-Banking trojanShow sources
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F5C11B
            Yara detected EmotetShow sources
            Source: Yara matchFile source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 6.2.bushexa.exe.f4053f.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.BnJvVt951o.exe.22c053f.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.BnJvVt951o.exe.22d053f.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.bushexa.exe.f4053f.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F51F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
            Source: 6.2.bushexa.exe.f4053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
            Source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
            Source: 1.2.BnJvVt951o.exe.22c053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 0.2.BnJvVt951o.exe.22d053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 5.2.bushexa.exe.f4053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
            Source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
            Source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F5C2E7 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F51D2B CreateProcessAsUserW,CreateProcessW,
            Source: C:\Windows\SysWOW64\bushexa.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
            Source: C:\Users\user\Desktop\BnJvVt951o.exeFile deleted: C:\Windows\SysWOW64\bushexa.exe:Zone.IdentifierJump to behavior
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_0041CB04
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_004351C1
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_00419288
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_0041CB04
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_004351C1
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_00419288
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 5_2_00F430E4
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 5_2_00F430E8
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 5_2_00F428C1
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 5_2_00F637A5
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 5_2_00F637A9
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 5_2_00F62F82
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F430E4
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F430E8
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F428C1
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F537A5
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F537A9
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F52F82
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: String function: 00401AB4 appears 35 times
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: String function: 0041C3B9 appears 42 times
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: String function: 004334D7 appears 59 times
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: String function: 0044D589 appears 65 times
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: String function: 00419937 appears 8618 times
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: String function: 00419918 appears 400 times
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: String function: 0041923C appears 91 times
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: String function: 0041E3BF appears 51 times
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: String function: 0044D5AF appears 36 times
            Source: BnJvVt951o.exe, 00000000.00000002.641090215.0000000002200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs BnJvVt951o.exe
            Source: BnJvVt951o.exe, 00000001.00000002.654977559.0000000002B10000.00000002.00000001.sdmpBinary or memory string: originalfilename vs BnJvVt951o.exe
            Source: BnJvVt951o.exe, 00000001.00000002.654977559.0000000002B10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs BnJvVt951o.exe
            Source: BnJvVt951o.exe, 00000001.00000002.654810432.0000000002A10000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs BnJvVt951o.exe
            Source: BnJvVt951o.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 6.2.bushexa.exe.f4053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 6.2.bushexa.exe.f4053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
            Source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
            Source: 1.2.BnJvVt951o.exe.22c053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 1.2.BnJvVt951o.exe.22c053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 0.2.BnJvVt951o.exe.22d053f.2.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 0.2.BnJvVt951o.exe.22d053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 5.2.bushexa.exe.f4053f.2.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 5.2.bushexa.exe.f4053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
            Source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
            Source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
            Source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
            Source: classification engineClassification label: mal96.bank.troj.evad.winEXE@10/0@0/10
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_0043F939 __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 5_2_00F61943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_00416DE7 __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_004315F6 __EH_prolog,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F5C3B7 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: C:\Users\user\Desktop\BnJvVt951o.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MB16D1E68
            Source: C:\Users\user\Desktop\BnJvVt951o.exeMutant created: \Sessions\1\BaseNamedObjects\Global\IB16D1E68
            Source: C:\Windows\SysWOW64\bushexa.exeMutant created: \BaseNamedObjects\Global\IB16D1E68
            Source: BnJvVt951o.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\BnJvVt951o.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\BnJvVt951o.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: BnJvVt951o.exeVirustotal: Detection: 84%
            Source: BnJvVt951o.exeReversingLabs: Detection: 96%
            Source: C:\Windows\SysWOW64\bushexa.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
            Source: unknownProcess created: C:\Users\user\Desktop\BnJvVt951o.exe 'C:\Users\user\Desktop\BnJvVt951o.exe'
            Source: C:\Users\user\Desktop\BnJvVt951o.exeProcess created: C:\Users\user\Desktop\BnJvVt951o.exe --132eeff2
            Source: unknownProcess created: C:\Windows\SysWOW64\bushexa.exe C:\Windows\SysWOW64\bushexa.exe
            Source: C:\Windows\SysWOW64\bushexa.exeProcess created: C:\Windows\SysWOW64\bushexa.exe --22f27ebc
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: C:\Users\user\Desktop\BnJvVt951o.exeProcess created: C:\Users\user\Desktop\BnJvVt951o.exe --132eeff2
            Source: C:\Windows\SysWOW64\bushexa.exeProcess created: C:\Windows\SysWOW64\bushexa.exe --22f27ebc
            Source: C:\Users\user\Desktop\BnJvVt951o.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
            Source: BnJvVt951o.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\Users\User\Desktop\2003\modeless\Release\modeless.pdb source: BnJvVt951o.exe
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_00432655 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,
            Source: BnJvVt951o.exeStatic PE information: real checksum: 0x7ffed should be: 0x800e5
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_00419277 push ecx; ret
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_004193A0 push eax; ret
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_004193A0 push eax; ret
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_00419277 push ecx; ret
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_004193A0 push eax; ret
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_004193A0 push eax; ret
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_00419918 push eax; ret
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 5_2_00F4E190 push BB276B01h; ret
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F4E190 push BB276B01h; ret

            Persistence and Installation Behavior:

            barindex
            Drops executables to the windows directory (C:\Windows) and starts themShow sources
            Source: C:\Windows\SysWOW64\bushexa.exeExecutable created and started: C:\Windows\SysWOW64\bushexa.exe
            Source: C:\Users\user\Desktop\BnJvVt951o.exePE file moved: C:\Windows\SysWOW64\bushexa.exeJump to behavior
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F5C3B7 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\Desktop\BnJvVt951o.exeFile opened: C:\Windows\SysWOW64\bushexa.exe:Zone.Identifier read attributes | delete
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_004121E0 IsIconic,SetFileSecurityW,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_0043ED39 GetParent,GetParent,IsIconic,GetParent,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_00412F6C IsIconic,GetWindowPlacement,GetWindowRect,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_004415C2 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_004121E0 IsIconic,SetFileSecurityW,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_0043ED39 GetParent,GetParent,IsIconic,GetParent,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_00412F6C IsIconic,GetWindowPlacement,GetWindowRect,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_004415C2 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_00449839 IsWindowVisible,IsIconic,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\BnJvVt951o.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\BnJvVt951o.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\BnJvVt951o.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\bushexa.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\bushexa.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\bushexa.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\bushexa.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\bushexa.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\bushexa.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Found evasive API chain (may stop execution after checking mutex)Show sources
            Source: C:\Windows\SysWOW64\bushexa.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
            Source: C:\Users\user\Desktop\BnJvVt951o.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,
            Source: C:\Windows\SysWOW64\bushexa.exeAPI coverage: 9.5 %
            Source: C:\Windows\System32\svchost.exe TID: 4492Thread sleep time: -30000s >= -30000s
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\BnJvVt951o.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_0043AE3F lstrlenA,FindFirstFileA,FindClose,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_0043AE3F lstrlenA,FindFirstFileA,FindClose,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_00419156 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,
            Source: svchost.exe, 00000007.00000002.665296056.0000027608E70000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.709817759.00000218D4260000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.723300627.000001BF11A80000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.749546426.0000022BAE400000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: svchost.exe, 0000000F.00000002.748940503.0000022BAD4FA000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
            Source: svchost.exe, 0000000F.00000002.748929810.0000022BAD4EB000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: svchost.exe, 00000007.00000002.665296056.0000027608E70000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.709817759.00000218D4260000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.723300627.000001BF11A80000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.749546426.0000022BAE400000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: svchost.exe, 00000007.00000002.665296056.0000027608E70000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.709817759.00000218D4260000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.723300627.000001BF11A80000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.749546426.0000022BAE400000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: svchost.exe, 0000000F.00000002.748881279.0000022BAD4A5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`
            Source: svchost.exe, 00000007.00000002.665296056.0000027608E70000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.709817759.00000218D4260000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.723300627.000001BF11A80000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.749546426.0000022BAE400000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\SysWOW64\bushexa.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\SysWOW64\bushexa.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\SysWOW64\bushexa.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\SysWOW64\bushexa.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_00432655 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_00401B93 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_00401BA2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 5_2_00F40467 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 5_2_00F40C0C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 5_2_00F41743 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 5_2_00F612CD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 5_2_00F61E04 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F40467 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F40C0C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F41743 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F512CD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 6_2_00F51E04 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 5_2_00F614F2 GetProcessHeap,RtlAllocateHeap,
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_00420406 SetUnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_0042041A SetUnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_00420406 SetUnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_0042041A SetUnhandledExceptionFilter,
            Source: C:\Windows\SysWOW64\bushexa.exeCode function: 5_2_00F4C477 cpuid
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: GetLocaleInfoA,_strncpy,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: _strlen,EnumSystemLocalesA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: _strlen,_strlen,EnumSystemLocalesA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: _strlen,EnumSystemLocalesA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: GetLocaleInfoA,_strncpy,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: _strlen,EnumSystemLocalesA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: _strlen,_strlen,EnumSystemLocalesA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: _strlen,EnumSystemLocalesA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: GetLocaleInfoA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: GetLocaleInfoA,MultiByteToWideChar,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: GetLocaleInfoW,WideCharToMultiByte,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\bushexa.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_00420151 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_004231DB __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_0044A5CB GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterWindowMessageA,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected EmotetShow sources
            Source: Yara matchFile source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 6.2.bushexa.exe.f4053f.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.BnJvVt951o.exe.22c053f.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.BnJvVt951o.exe.22d053f.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.bushexa.exe.f4053f.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 0_2_004514EB CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_004514EB CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,
            Source: C:\Users\user\Desktop\BnJvVt951o.exeCode function: 1_2_00451B05 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1Native API111Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information1Input Capture1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
            Default AccountsCommand and Scripting Interpreter2Windows Service12Access Token Manipulation1Obfuscated Files or Information2LSASS MemorySystem Service Discovery1Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsService Execution12Logon Script (Windows)Windows Service12Software Packing1Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Process Injection1File Deletion1NTDSSystem Information Discovery37Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading121LSA SecretsSecurity Software Discovery21SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonValid Accounts1Cached Domain CredentialsVirtualization/Sandbox Evasion2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion2Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            BnJvVt951o.exe84%VirustotalBrowse
            BnJvVt951o.exe96%ReversingLabsWin32.Trojan.Emotet
            BnJvVt951o.exe100%AviraHEUR/AGEN.1111753
            BnJvVt951o.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            6.0.bushexa.exe.400000.0.unpack100%AviraHEUR/AGEN.1111753Download File
            5.0.bushexa.exe.400000.0.unpack100%AviraHEUR/AGEN.1111753Download File
            5.2.bushexa.exe.400000.0.unpack100%AviraHEUR/AGEN.1111753Download File
            6.2.bushexa.exe.f4053f.1.unpack100%AviraTR/Patched.Ren.GenDownload File
            6.2.bushexa.exe.400000.0.unpack100%AviraHEUR/AGEN.1111753Download File
            1.2.BnJvVt951o.exe.400000.0.unpack100%AviraHEUR/AGEN.1111753Download File
            1.0.BnJvVt951o.exe.400000.0.unpack100%AviraHEUR/AGEN.1111753Download File
            0.0.BnJvVt951o.exe.400000.0.unpack100%AviraHEUR/AGEN.1111753Download File
            1.2.BnJvVt951o.exe.22c053f.1.unpack100%AviraTR/Patched.Ren.GenDownload File
            0.2.BnJvVt951o.exe.400000.0.unpack100%AviraHEUR/AGEN.1111753Download File
            0.2.BnJvVt951o.exe.22d053f.2.unpack100%AviraTR/Patched.Ren.GenDownload File
            5.2.bushexa.exe.f4053f.2.unpack100%AviraTR/Patched.Ren.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://201.251.43.69/usbccid/iplk/pdf/merge/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://201.251.43.69/usbccid/iplk/pdf/merge/bushexa.exe, 00000006.00000002.1033372208.0000000000199000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.hulu.com/privacysvchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmpfalse
              high
              http://www.g5e.com/G5_End_User_License_Supplemental_Termssvchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmpfalse
                high
                https://www.hulu.com/do-not-sell-my-infosvchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmpfalse
                  high
                  http://www.hulu.com/termssvchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmpfalse
                    high
                    https://corp.roblox.com/contact/svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmpfalse
                      high
                      https://www.roblox.com/developsvchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmpfalse
                        high
                        https://instagram.com/hiddencity_svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmpfalse
                          high
                          https://www.roblox.com/info/privacysvchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmpfalse
                            high
                            http://www.g5e.com/termsofservicesvchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmpfalse
                              high
                              https://en.help.roblox.com/hc/en-ussvchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmpfalse
                                high
                                https://corp.roblox.com/parents/svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmpfalse
                                  high
                                  https://www.hulu.com/ca-privacy-rightssvchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmpfalse
                                    high

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    152.89.236.214
                                    unknownGermany
                                    31400ACCELERATED-ITDEfalse
                                    198.199.114.69
                                    unknownUnited States
                                    14061DIGITALOCEAN-ASNUSfalse
                                    104.236.246.93
                                    unknownUnited States
                                    14061DIGITALOCEAN-ASNUSfalse
                                    178.210.51.222
                                    unknownRussian Federation
                                    43727KVANT-TELECOMRUfalse
                                    115.78.95.230
                                    unknownViet Nam
                                    7552VIETEL-AS-APViettelGroupVNfalse
                                    201.251.43.69
                                    unknownArgentina
                                    27927CoopPopulardeElecObrasyServiciosPubdeSantaRosafalse
                                    45.33.54.74
                                    unknownUnited States
                                    63949LINODE-APLinodeLLCUSfalse
                                    209.141.41.136
                                    unknownUnited States
                                    53667PONYNETUSfalse
                                    87.106.136.232
                                    unknownGermany
                                    8560ONEANDONE-ASBrauerstrasse48DEfalse

                                    Private

                                    IP
                                    192.168.2.1

                                    General Information

                                    Joe Sandbox Version:31.0.0 Emerald
                                    Analysis ID:382018
                                    Start date:05.04.2021
                                    Start time:18:57:04
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 10m 8s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:BnJvVt951o.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Run name:Run with higher sleep bypass
                                    Number of analysed new started processes analysed:23
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal96.bank.troj.evad.winEXE@10/0@0/10
                                    EGA Information:
                                    • Successful, ratio: 50%
                                    HDC Information:
                                    • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                    • Quality average: 93.2%
                                    • Quality standard deviation: 6.9%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 52.255.188.83, 52.147.198.201, 92.122.145.220, 104.43.139.144, 40.88.32.150, 13.88.21.125, 20.82.209.183, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 2.20.142.210, 2.20.142.209, 20.82.210.154
                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    152.89.236.214SMtbg7yHyR.exeGet hashmaliciousBrowse
                                      aEdlObiYav.exeGet hashmaliciousBrowse
                                        198.199.114.69VYHauUUCLr.exeGet hashmaliciousBrowse
                                        • 198.199.114.69:8080/badge/report/xian/
                                        http://infraturkey.com/deletecomment/parts_service/daaMnHeDzR/Get hashmaliciousBrowse
                                        • 198.199.114.69:8080/jit/
                                        https://newwell.studio/test/DOC/NtnDpOmWbTdPEdBxrLyy/Get hashmaliciousBrowse
                                        • 198.199.114.69:8080/json/
                                        104.236.246.93form.docGet hashmaliciousBrowse
                                        • 104.236.246.93:8080/hZhNeaDm/dcUDNcyqQW/niVKRU29uscA3Ju/
                                        UAr7Xz5JWr.exeGet hashmaliciousBrowse
                                        • 104.236.246.93:8080/ZxZomdMT6G9XK/ghoypfynUN/
                                        invoice #865119.docGet hashmaliciousBrowse
                                        • 104.236.246.93:8080/XzlcYaBSUK0cswU/pzKYcLCk/PbvwO3hXkaN7W/WM9ZNIP/
                                        XY8707573112TQ.docGet hashmaliciousBrowse
                                        • 104.236.246.93:8080/att30xZ/YONUKbuNJ8IOQjL/G34JI8e3LEFl/jaWgrB/
                                        test-emotet.exeGet hashmaliciousBrowse
                                        • 104.236.246.93/
                                        178.210.51.222BnJvVt951o.exeGet hashmaliciousBrowse
                                          SMtbg7yHyR.exeGet hashmaliciousBrowse
                                            aEdlObiYav.exeGet hashmaliciousBrowse
                                              115.78.95.230pM54o4Q47b.exeGet hashmaliciousBrowse
                                                minimumthemes.exeGet hashmaliciousBrowse

                                                  Domains

                                                  No context

                                                  ASN

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  ACCELERATED-ITDEBnJvVt951o.exeGet hashmaliciousBrowse
                                                  • 152.89.236.214
                                                  SMtbg7yHyR.exeGet hashmaliciousBrowse
                                                  • 152.89.236.214
                                                  KAsJ2r4XYY.dllGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  swlsGbeQwT.dllGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-1048628209.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-1771131239.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-1370071295.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-69564892.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-1320073816.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-184653858.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-1729033050.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-540475316.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-1456634656.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-1376447212.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-1813856412.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-1776123548.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-684762271.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-1590815978.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-66411652.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  document-415601328.xlsGet hashmaliciousBrowse
                                                  • 185.243.114.196
                                                  DIGITALOCEAN-ASNUSBnJvVt951o.exeGet hashmaliciousBrowse
                                                  • 104.236.246.93
                                                  0M53tHsUDg.dllGet hashmaliciousBrowse
                                                  • 161.35.99.181
                                                  Sample.docGet hashmaliciousBrowse
                                                  • 159.65.129.33
                                                  Sample.docGet hashmaliciousBrowse
                                                  • 159.65.129.33
                                                  SMtbg7yHyR.exeGet hashmaliciousBrowse
                                                  • 104.236.246.93
                                                  TW#9898748948-TZE.exeGet hashmaliciousBrowse
                                                  • 162.243.129.169
                                                  xqtEOiEeHh.exeGet hashmaliciousBrowse
                                                  • 159.89.4.33
                                                  5AKljISD4v.exeGet hashmaliciousBrowse
                                                  • 206.189.80.59
                                                  nnrlOwKZlc.exeGet hashmaliciousBrowse
                                                  • 104.248.119.44
                                                  documents-575751901.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  MIpyc881Ka.dllGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  278.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  1449.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  documents-1987093434.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  1737.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  492.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  3205.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  1984.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  2503.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  3032.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  DIGITALOCEAN-ASNUSBnJvVt951o.exeGet hashmaliciousBrowse
                                                  • 104.236.246.93
                                                  0M53tHsUDg.dllGet hashmaliciousBrowse
                                                  • 161.35.99.181
                                                  Sample.docGet hashmaliciousBrowse
                                                  • 159.65.129.33
                                                  Sample.docGet hashmaliciousBrowse
                                                  • 159.65.129.33
                                                  SMtbg7yHyR.exeGet hashmaliciousBrowse
                                                  • 104.236.246.93
                                                  TW#9898748948-TZE.exeGet hashmaliciousBrowse
                                                  • 162.243.129.169
                                                  xqtEOiEeHh.exeGet hashmaliciousBrowse
                                                  • 159.89.4.33
                                                  5AKljISD4v.exeGet hashmaliciousBrowse
                                                  • 206.189.80.59
                                                  nnrlOwKZlc.exeGet hashmaliciousBrowse
                                                  • 104.248.119.44
                                                  documents-575751901.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  MIpyc881Ka.dllGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  278.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  1449.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  documents-1987093434.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  1737.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  492.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  3205.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  1984.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  2503.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35
                                                  3032.xlsmGet hashmaliciousBrowse
                                                  • 138.197.197.35

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  No created / dropped files found

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):6.625638741868008
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:BnJvVt951o.exe
                                                  File size:516346
                                                  MD5:ae03a6f8fb74d401b403647d28e21574
                                                  SHA1:6ee320cedc77499f5df9ae9c93ef42c0d91f3ce8
                                                  SHA256:1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d
                                                  SHA512:ab2a30d32722419c72808032ae01b9443bfb8ea80ec52426aeb42ac21a84f0a2b04dd6f311c13b06bcaa37b7874b4e311ff8dc0c94ccfa42cbf6dcac0e2facab
                                                  SSDEEP:6144:PebeJq15KNVIjux9tE9dVyAhwoajYPNo4ahRFPhpxOtYS0xefNPf+R6axxVccVPo:W5KNgux9t0VyAShUPCRdUi8cVRPw17i
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*1..Db..Db..Dbd..b..Db..]b..Db...b..Db..Kb..Db...ba.Db..cb..Dbd..b..Db..Eb..Db..$b..Db...b..Db...b..Db...b..DbRich..Db.......

                                                  File Icon

                                                  Icon Hash:00828e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x419b95
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                  DLL Characteristics:
                                                  Time Stamp:0x5D9A0326 [Sun Oct 6 15:07:18 2019 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:92bdfd5dfdc574760c27f87d6f10fe98

                                                  Entrypoint Preview

                                                  Instruction
                                                  push 00000060h
                                                  push 0045C7A8h
                                                  call 00007F8C80767BC0h
                                                  mov edi, 00000094h
                                                  mov eax, edi
                                                  call 00007F8C80767D18h
                                                  mov dword ptr [ebp-18h], esp
                                                  mov esi, esp
                                                  mov dword ptr [esi], edi
                                                  push esi
                                                  call dword ptr [004552A0h]
                                                  mov ecx, dword ptr [esi+10h]
                                                  mov dword ptr [0047B960h], ecx
                                                  mov eax, dword ptr [esi+04h]
                                                  mov dword ptr [0047B96Ch], eax
                                                  mov edx, dword ptr [esi+08h]
                                                  mov dword ptr [0047B970h], edx
                                                  mov esi, dword ptr [esi+0Ch]
                                                  and esi, 00007FFFh
                                                  mov dword ptr [0047B964h], esi
                                                  cmp ecx, 02h
                                                  je 00007F8C8076852Eh
                                                  or esi, 00008000h
                                                  mov dword ptr [0047B964h], esi
                                                  shl eax, 08h
                                                  add eax, edx
                                                  mov dword ptr [0047B968h], eax
                                                  xor esi, esi
                                                  push esi
                                                  mov edi, dword ptr [00455320h]
                                                  call edi
                                                  cmp word ptr [eax], 5A4Dh
                                                  jne 00007F8C80768541h
                                                  mov ecx, dword ptr [eax+3Ch]
                                                  add ecx, eax
                                                  cmp dword ptr [ecx], 00004550h
                                                  jne 00007F8C80768534h
                                                  movzx eax, word ptr [ecx+18h]
                                                  cmp eax, 0000010Bh
                                                  je 00007F8C80768541h
                                                  cmp eax, 0000020Bh
                                                  je 00007F8C80768527h
                                                  mov dword ptr [ebp-1Ch], esi
                                                  jmp 00007F8C80768549h
                                                  cmp dword ptr [ecx+00000084h], 0Eh
                                                  jbe 00007F8C80768514h
                                                  xor eax, eax
                                                  cmp dword ptr [ecx+000000F8h], esi
                                                  jmp 00007F8C80768530h
                                                  cmp dword ptr [ecx+74h], 0Eh
                                                  jbe 00007F8C80768504h
                                                  xor eax, eax
                                                  cmp dword ptr [ecx+000000E8h], esi
                                                  setne al
                                                  mov dword ptr [ebp-1Ch], eax

                                                  Rich Headers

                                                  Programming Language:
                                                  • [ASM] VS2003 (.NET) build 3077
                                                  • [LNK] VS2003 (.NET) build 3077
                                                  • [RES] VS2003 (.NET) build 3077
                                                  • [EXP] VS2003 (.NET) build 3077
                                                  • [C++] VS2003 (.NET) build 3077
                                                  • [ C ] VS2003 (.NET) build 3077

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x68cf00x53.rdata
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x662240x104.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x3ebc.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x558800x1c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x60ed00x48.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x550000x878.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x661740x40.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x53ee90x54000False0.505048479353DOS executable (COM)6.50788658927IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .rdata0x550000x13d430x14000False0.315026855469data5.20395932053IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x690000x142340x11000False0.795568129596data7.54511629913IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x7e0000x3ebc0x4000False0.259643554688data3.45842321085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_CURSOR0x7eb680x134dataEnglishUnited States
                                                  RT_CURSOR0x7ec9c0xb4dataEnglishUnited States
                                                  RT_CURSOR0x7ed500x134AmigaOS bitmap fontEnglishUnited States
                                                  RT_CURSOR0x7ee840x134dataEnglishUnited States
                                                  RT_CURSOR0x7efb80x134dataEnglishUnited States
                                                  RT_CURSOR0x7f0ec0x134dataEnglishUnited States
                                                  RT_CURSOR0x7f2200x134dataEnglishUnited States
                                                  RT_CURSOR0x7f3540x134dataEnglishUnited States
                                                  RT_CURSOR0x7f4880x134dataEnglishUnited States
                                                  RT_CURSOR0x7f5bc0x134dataEnglishUnited States
                                                  RT_CURSOR0x7f6f00x134dataEnglishUnited States
                                                  RT_CURSOR0x7f8240x134dataEnglishUnited States
                                                  RT_CURSOR0x7f9580x134AmigaOS bitmap fontEnglishUnited States
                                                  RT_CURSOR0x7fa8c0x134dataEnglishUnited States
                                                  RT_CURSOR0x7fbc00x134dataEnglishUnited States
                                                  RT_CURSOR0x7fcf40x134dataEnglishUnited States
                                                  RT_BITMAP0x7fe280xb8dataEnglishUnited States
                                                  RT_BITMAP0x7fee00x144dataEnglishUnited States
                                                  RT_DIALOG0x800240x184dataEnglishUnited States
                                                  RT_DIALOG0x801a80xf4dataEnglishUnited States
                                                  RT_DIALOG0x8029c0x100dataEnglishUnited States
                                                  RT_DIALOG0x8039c0xe8dataEnglishUnited States
                                                  RT_STRING0x804840x44dataEnglishUnited States
                                                  RT_STRING0x804c80x48dataEnglishUnited States
                                                  RT_STRING0x805100x2cdataEnglishUnited States
                                                  RT_STRING0x8053c0x38dataEnglishUnited States
                                                  RT_STRING0x805740x48dataEnglishUnited States
                                                  RT_STRING0x805bc0x64dataEnglishUnited States
                                                  RT_STRING0x806200x46dataEnglishUnited States
                                                  RT_STRING0x806680x82dataEnglishUnited States
                                                  RT_STRING0x806ec0x2adataEnglishUnited States
                                                  RT_STRING0x807180x192dataEnglishUnited States
                                                  RT_STRING0x808ac0x4e2dataEnglishUnited States
                                                  RT_STRING0x80d900x31adataEnglishUnited States
                                                  RT_STRING0x810ac0x2dcdataEnglishUnited States
                                                  RT_STRING0x813880x8adataEnglishUnited States
                                                  RT_STRING0x814140xacdataEnglishUnited States
                                                  RT_STRING0x814c00xdedataEnglishUnited States
                                                  RT_STRING0x815a00x4c4dataEnglishUnited States
                                                  RT_STRING0x81a640x264dataEnglishUnited States
                                                  RT_STRING0x81cc80x2cdataEnglishUnited States
                                                  RT_STRING0x81cf40x42dataEnglishUnited States
                                                  RT_STRING0x81d380x48dataEnglishUnited States
                                                  RT_GROUP_CURSOR0x81d800x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                  RT_GROUP_CURSOR0x81da40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                  RT_GROUP_CURSOR0x81db80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                  RT_GROUP_CURSOR0x81dcc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                  RT_GROUP_CURSOR0x81de00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                  RT_GROUP_CURSOR0x81df40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                  RT_GROUP_CURSOR0x81e080x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                  RT_GROUP_CURSOR0x81e1c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                  RT_GROUP_CURSOR0x81e300x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                  RT_GROUP_CURSOR0x81e440x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                  RT_GROUP_CURSOR0x81e580x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                  RT_GROUP_CURSOR0x81e6c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                  RT_GROUP_CURSOR0x81e800x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                  RT_GROUP_CURSOR0x81e940x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                  RT_GROUP_CURSOR0x81ea80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States

                                                  Imports

                                                  DLLImport
                                                  CRYPT32.dllCertOpenStore
                                                  KERNEL32.dllGetStartupInfoA, GetCommandLineA, ExitProcess, HeapReAlloc, TerminateProcess, ExitThread, CreateThread, HeapSize, FatalAppExitA, HeapDestroy, HeapCreate, VirtualFree, IsBadWritePtr, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetUnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, IsBadReadPtr, IsBadCodePtr, GetTimeFormatA, GetDateFormatA, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, SetConsoleCtrlHandler, RtlUnwind, GetLocaleInfoW, SetEnvironmentVariableA, InterlockedExchange, GetACP, GetLocaleInfoA, GetThreadLocale, GetVersionExA, MultiByteToWideChar, WideCharToMultiByte, GetLastError, GetVersion, lstrcmpiA, lstrlenW, lstrcmpiW, lstrlenA, CompareStringA, CompareStringW, GetEnvironmentVariableA, GetEnvironmentVariableW, GetStringTypeExA, GetStringTypeExW, SizeofResource, LockResource, LoadResource, FindResourceA, FreeResource, GlobalFree, GlobalUnlock, GlobalLock, LocalFree, lstrcpynA, FormatMessageA, GlobalAlloc, GlobalSize, MulDiv, CopyFileA, SetLastError, GetProcAddress, GetModuleHandleA, lstrcmpW, VirtualQuery, GetSystemInfo, VirtualAlloc, VirtualProtect, HeapFree, HeapAlloc, GetDiskFreeSpaceA, GetTempFileNameA, LocalLock, LocalUnlock, GetFileTime, GetFileAttributesA, SetFileAttributesA, SetFileTime, LocalFileTimeToFileTime, FileTimeToLocalFileTime, SetErrorMode, GetShortPathNameA, CreateFileA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, DeleteFileA, MoveFileA, GetCurrentDirectoryA, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, SystemTimeToFileTime, FileTimeToSystemTime, GetOEMCP, GetCPInfo, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, InterlockedIncrement, GlobalFlags, DeleteCriticalSection, InitializeCriticalSection, RaiseException, CreateEventA, SuspendThread, SetEvent, WaitForSingleObject, ResumeThread, SetThreadPriority, CloseHandle, GetCurrentThread, lstrcmpA, GetModuleFileNameA, lstrcatA, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcpyA, InterlockedDecrement, GetCurrentThreadId, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, LoadLibraryA, FreeLibrary, SetStdHandle
                                                  USER32.dllIsClipboardFormatAvailable, MessageBeep, GetTabbedTextExtentA, GetDCEx, LockWindowUpdate, SetParent, InvalidateRect, InsertMenuItemA, CreatePopupMenu, SetRectEmpty, BringWindowToTop, SetMenu, TranslateAcceleratorA, DestroyIcon, DeleteMenu, wsprintfA, WaitMessage, GetWindowThreadProcessId, ReleaseCapture, WindowFromPoint, SetCapture, LoadCursorA, GetSysColorBrush, GetDialogBaseUnits, GetMessageA, TranslateMessage, GetCursorPos, ValidateRect, ShowOwnedPopups, SetCursor, PostQuitMessage, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, FillRect, DestroyMenu, GetMenuItemInfoA, InflateRect, SetMenuItemBitmaps, ModifyMenuA, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, ScrollWindowEx, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, IsDlgButtonChecked, SetDlgItemInt, GetDlgItemTextA, GetDlgItemInt, CheckRadioButton, CheckDlgButton, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, SetWindowsHookExA, CallNextHookEx, KillTimer, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SendDlgItemMessageA, GetFocus, SetFocus, IsChild, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, GetLastActivePopup, DispatchMessageA, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, PeekMessageA, MapWindowPoints, ScrollWindow, MessageBoxA, TrackPopupMenuEx, TrackPopupMenu, GetKeyState, SetScrollRange, SetDlgItemTextA, CharLowerA, CharLowerW, CharUpperA, CharUpperW, SendMessageA, EnableWindow, DrawIcon, AppendMenuA, GetSystemMenu, IsIconic, GetClientRect, SetActiveWindow, LoadIconA, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, IsWindowVisible, UpdateWindow, GetMenu, PostMessageA, GetSysColor, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, SetTimer, SetRect, UnionRect, IsRectEmpty, MapVirtualKeyA, GetClassInfoA, RegisterClassA, UnregisterClassA, SetWindowPlacement, GetDlgCtrlID, DefWindowProcA, SetWindowLongA, SetWindowPos, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetKeyNameTextA, LoadMenuA, UnpackDDElParam, ReuseDDElParam, GetClassLongA, LoadAcceleratorsA, CallWindowProcA, LoadStringW, GetSystemMetrics, EndDialog, GetNextDlgTabItem, GetParent, IsWindowEnabled, GetDlgItem, GetWindowLongA, IsWindow, DestroyWindow, CreateDialogIndirectParamA, GetActiveWindow, GetDesktopWindow, RemoveMenu, GetSubMenu, GetMenuItemCount, InsertMenuA, GetWindowRect, CopyRect, PtInRect, GetWindow, GetMenuState, GetMenuStringA, GetMenuItemID
                                                  GDI32.dllSetMapperFlags, SetArcDirection, SetColorAdjustment, DeleteObject, SelectClipRgn, GetClipRgn, CreateRectRgn, SelectClipPath, GetViewportExtEx, GetWindowExtEx, GetPixel, StartDocA, PtVisible, RectVisible, TextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, OffsetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetCurrentPositionEx, ArcTo, PolyDraw, PolylineTo, PolyBezierTo, SetTextCharacterExtra, DeleteDC, CreateDIBPatternBrushPt, CreatePatternBrush, GetStockObject, SelectPalette, PlayMetaFileRecord, GetObjectType, EnumMetaFile, PlayMetaFile, CreatePen, ExtCreatePen, CreateSolidBrush, CreateHatchBrush, GetTextMetricsA, CreateRectRgnIndirect, SetRectRgn, CombineRgn, GetMapMode, PatBlt, DPtoLP, CreateCompatibleBitmap, StretchDIBits, GetCharWidthA, CreateFontA, GetBkColor, StartPage, EndPage, SetAbortProc, AbortDoc, EndDoc, SetTextJustification, SetTextAlign, MoveToEx, LineTo, OffsetClipRgn, IntersectClipRect, ExcludeClipRect, SetMapMode, SetStretchBltMode, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, GetTextExtentPoint32A, ExtTextOutA, BitBlt, CreateCompatibleDC, CreateFontIndirectA, CreateBitmap, GetObjectA, SetBkColor, SetTextColor, GetClipBox, GetDCOrgEx, CreateDCA, CopyMetaFileA, ExtSelectClipRgn, GetDeviceCaps
                                                  comdlg32.dllPageSetupDlgA, FindTextA, ReplaceTextA, GetOpenFileNameA, CommDlgExtendedError, PrintDlgA, GetFileTitleA, GetSaveFileNameA
                                                  WINSPOOL.DRVOpenPrinterA, DocumentPropertiesA, ClosePrinter, GetJobA
                                                  ADVAPI32.dllGetFileSecurityA, RegCloseKey, RegSetValueA, RegOpenKeyA, RegQueryValueExA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyA, RegQueryValueA, RegCreateKeyExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyA, SetFileSecurityW, SetFileSecurityA
                                                  SHELL32.dllSHGetFileInfoA, DragFinish, DragQueryFileA, ExtractIconA
                                                  COMCTL32.dllImageList_Draw, ImageList_GetImageInfo, ImageList_Read, ImageList_Write, ImageList_Destroy, ImageList_Create, ImageList_LoadImageA, ImageList_Merge
                                                  SHLWAPI.dllPathRemoveExtensionA, PathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
                                                  ole32.dllWriteClassStg, OleRegGetUserType, SetConvertStg, CoTaskMemFree, ReadFmtUserTypeStg, ReadClassStg, StringFromCLSID, CoTreatAsClass, CreateBindCtx, CoTaskMemAlloc, ReleaseStgMedium, OleDuplicateData, CoDisconnectObject, CoCreateInstance, StringFromGUID2, CLSIDFromString, WriteFmtUserTypeStg
                                                  OLEAUT32.dllVariantClear, VariantChangeType, VariantInit, SysAllocStringLen, SysFreeString, SysStringLen, SysAllocStringByteLen, SysStringByteLen, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetElemsize, SafeArrayGetDim, SafeArrayCreate, SafeArrayRedim, VariantCopy, SafeArrayAllocData, SafeArrayAllocDescriptor, SafeArrayCopy, SafeArrayGetElement, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayLock, SafeArrayUnlock, SafeArrayDestroy, SafeArrayDestroyData, SafeArrayDestroyDescriptor, VariantTimeToSystemTime, SystemTimeToVariantTime, SysAllocString, SysReAllocStringLen, VarDateFromStr, VarBstrFromDec, VarDecFromStr, VarCyFromStr, VarBstrFromCy, VarBstrFromDate

                                                  Exports

                                                  NameOrdinalAddress
                                                  mcfGvgupamvngNBNmgO10x401e04

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Apr 5, 2021 18:58:16.818489075 CEST49744443192.168.2.445.33.54.74
                                                  Apr 5, 2021 18:58:17.015979052 CEST4434974445.33.54.74192.168.2.4
                                                  Apr 5, 2021 18:58:17.528825045 CEST49744443192.168.2.445.33.54.74
                                                  Apr 5, 2021 18:58:17.726278067 CEST4434974445.33.54.74192.168.2.4
                                                  Apr 5, 2021 18:58:18.231250048 CEST49744443192.168.2.445.33.54.74
                                                  Apr 5, 2021 18:58:18.428585052 CEST4434974445.33.54.74192.168.2.4
                                                  Apr 5, 2021 18:58:23.506542921 CEST497468080192.168.2.4209.141.41.136
                                                  Apr 5, 2021 18:58:26.513185024 CEST497468080192.168.2.4209.141.41.136
                                                  Apr 5, 2021 18:58:32.513686895 CEST497468080192.168.2.4209.141.41.136
                                                  Apr 5, 2021 18:58:48.771401882 CEST497628080192.168.2.4104.236.246.93
                                                  Apr 5, 2021 18:58:51.780920029 CEST497628080192.168.2.4104.236.246.93
                                                  Apr 5, 2021 18:58:57.781426907 CEST497628080192.168.2.4104.236.246.93
                                                  Apr 5, 2021 18:59:15.261616945 CEST497688080192.168.2.4198.199.114.69
                                                  Apr 5, 2021 18:59:18.267710924 CEST497688080192.168.2.4198.199.114.69
                                                  Apr 5, 2021 18:59:24.268013954 CEST497688080192.168.2.4198.199.114.69
                                                  Apr 5, 2021 18:59:41.196846008 CEST497718080192.168.2.4152.89.236.214
                                                  Apr 5, 2021 18:59:41.235383034 CEST808049771152.89.236.214192.168.2.4
                                                  Apr 5, 2021 18:59:41.738214970 CEST497718080192.168.2.4152.89.236.214
                                                  Apr 5, 2021 18:59:41.776612043 CEST808049771152.89.236.214192.168.2.4
                                                  Apr 5, 2021 18:59:42.285279989 CEST497718080192.168.2.4152.89.236.214
                                                  Apr 5, 2021 18:59:42.323508978 CEST808049771152.89.236.214192.168.2.4
                                                  Apr 5, 2021 18:59:47.306583881 CEST497728080192.168.2.487.106.136.232
                                                  Apr 5, 2021 18:59:47.349000931 CEST80804977287.106.136.232192.168.2.4
                                                  Apr 5, 2021 18:59:47.863733053 CEST497728080192.168.2.487.106.136.232
                                                  Apr 5, 2021 18:59:47.906204939 CEST80804977287.106.136.232192.168.2.4
                                                  Apr 5, 2021 18:59:48.410700083 CEST497728080192.168.2.487.106.136.232
                                                  Apr 5, 2021 18:59:48.453253984 CEST80804977287.106.136.232192.168.2.4
                                                  Apr 5, 2021 18:59:53.536737919 CEST497738080192.168.2.4178.210.51.222
                                                  Apr 5, 2021 18:59:56.536341906 CEST497738080192.168.2.4178.210.51.222
                                                  Apr 5, 2021 19:00:02.537121058 CEST497738080192.168.2.4178.210.51.222
                                                  Apr 5, 2021 19:00:18.758183956 CEST49774443192.168.2.4115.78.95.230
                                                  Apr 5, 2021 19:00:21.757378101 CEST49774443192.168.2.4115.78.95.230
                                                  Apr 5, 2021 19:00:27.757694960 CEST49774443192.168.2.4115.78.95.230
                                                  Apr 5, 2021 19:00:45.126122952 CEST497758080192.168.2.4201.251.43.69
                                                  Apr 5, 2021 19:00:48.134350061 CEST497758080192.168.2.4201.251.43.69
                                                  Apr 5, 2021 19:00:54.134931087 CEST497758080192.168.2.4201.251.43.69

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Apr 5, 2021 18:57:41.224035025 CEST5912353192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:57:41.279380083 CEST53591238.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:57:41.973491907 CEST5453153192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:57:42.020072937 CEST53545318.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:57:42.788090944 CEST4971453192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:57:42.834229946 CEST53497148.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:57:43.351897955 CEST5802853192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:57:43.410505056 CEST53580288.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:57:43.509006977 CEST5309753192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:57:43.557866096 CEST53530978.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:57:44.338733912 CEST4925753192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:57:44.397749901 CEST53492578.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:57:45.304169893 CEST6238953192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:57:45.359034061 CEST53623898.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:57:46.500598907 CEST4991053192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:57:46.549711943 CEST53499108.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:57:47.893172979 CEST5585453192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:57:47.941817999 CEST53558548.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:57:48.903186083 CEST6454953192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:57:48.949871063 CEST53645498.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:57:49.989537954 CEST6315353192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:57:50.035583019 CEST53631538.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:57:50.741766930 CEST5299153192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:57:50.790760994 CEST53529918.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:57:51.580369949 CEST5370053192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:57:51.629301071 CEST53537008.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:06.118351936 CEST5172653192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:06.164377928 CEST53517268.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:07.409759998 CEST5679453192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:07.456058025 CEST53567948.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:08.859622002 CEST5653453192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:08.909094095 CEST53565348.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:10.836987019 CEST5662753192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:10.883091927 CEST53566278.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:11.601049900 CEST5662153192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:11.650021076 CEST53566218.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:12.360377073 CEST6311653192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:12.406294107 CEST53631168.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:13.911045074 CEST6407853192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:13.957274914 CEST53640788.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:17.331192017 CEST6480153192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:17.387782097 CEST53648018.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:29.081444025 CEST6172153192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:29.163309097 CEST53617218.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:29.634037018 CEST5125553192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:29.689038038 CEST53512558.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:30.124311924 CEST6152253192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:30.178725004 CEST53615228.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:30.345561028 CEST5233753192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:30.400163889 CEST53523378.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:30.580789089 CEST5504653192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:30.643409014 CEST53550468.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:31.145641088 CEST4961253192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:31.261267900 CEST53496128.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:31.770155907 CEST4928553192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:31.829598904 CEST53492858.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:32.244858027 CEST5060153192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:32.369906902 CEST53506018.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:33.038053036 CEST6087553192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:33.092544079 CEST53608758.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:34.060686111 CEST5644853192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:34.123255968 CEST53564488.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:34.535834074 CEST5917253192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:34.595232010 CEST53591728.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:36.544984102 CEST6242053192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:36.605249882 CEST53624208.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:47.978492975 CEST6057953192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:48.025485039 CEST53605798.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:48.152729034 CEST5018353192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:48.224684954 CEST53501838.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:58:50.196233034 CEST6153153192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:58:50.254884005 CEST53615318.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:59:23.702003002 CEST4922853192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:59:23.767357111 CEST53492288.8.8.8192.168.2.4
                                                  Apr 5, 2021 18:59:25.829446077 CEST5979453192.168.2.48.8.8.8
                                                  Apr 5, 2021 18:59:25.883848906 CEST53597948.8.8.8192.168.2.4

                                                  Code Manipulations

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Start time:18:57:48
                                                  Start date:05/04/2021
                                                  Path:C:\Users\user\Desktop\BnJvVt951o.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Users\user\Desktop\BnJvVt951o.exe'
                                                  Imagebase:0x400000
                                                  File size:516346 bytes
                                                  MD5 hash:AE03A6F8FB74D401B403647D28E21574
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Emotet, Description: Emotet Payload, Source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, Author: kevoreilly
                                                  • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, Author: Joe Security
                                                  • Rule: Emotet, Description: Emotet Payload, Source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, Author: kevoreilly
                                                  Reputation:low

                                                  General

                                                  Start time:18:57:49
                                                  Start date:05/04/2021
                                                  Path:C:\Users\user\Desktop\BnJvVt951o.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:--132eeff2
                                                  Imagebase:0x400000
                                                  File size:516346 bytes
                                                  MD5 hash:AE03A6F8FB74D401B403647D28E21574
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, Author: Joe Security
                                                  • Rule: Emotet, Description: Emotet Payload, Source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, Author: kevoreilly
                                                  • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Emotet, Description: Emotet Payload, Source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, Author: kevoreilly
                                                  Reputation:low

                                                  General

                                                  Start time:18:57:54
                                                  Start date:05/04/2021
                                                  Path:C:\Windows\SysWOW64\bushexa.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\bushexa.exe
                                                  Imagebase:0x400000
                                                  File size:516346 bytes
                                                  MD5 hash:AE03A6F8FB74D401B403647D28E21574
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, Author: Joe Security
                                                  • Rule: Emotet, Description: Emotet Payload, Source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, Author: kevoreilly
                                                  • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Emotet, Description: Emotet Payload, Source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, Author: kevoreilly
                                                  Reputation:low

                                                  General

                                                  Start time:18:57:54
                                                  Start date:05/04/2021
                                                  Path:C:\Windows\SysWOW64\bushexa.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:--22f27ebc
                                                  Imagebase:0x400000
                                                  File size:516346 bytes
                                                  MD5 hash:AE03A6F8FB74D401B403647D28E21574
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, Author: Joe Security
                                                  • Rule: Emotet, Description: Emotet Payload, Source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, Author: kevoreilly
                                                  • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Emotet, Description: Emotet Payload, Source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, Author: kevoreilly
                                                  Reputation:low

                                                  General

                                                  Start time:18:57:55
                                                  Start date:05/04/2021
                                                  Path:C:\Windows\System32\svchost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                  Imagebase:0x7ff6eb840000
                                                  File size:51288 bytes
                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:18:58:14
                                                  Start date:05/04/2021
                                                  Path:C:\Windows\System32\svchost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                  Imagebase:0x7ff6eb840000
                                                  File size:51288 bytes
                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:18:58:21
                                                  Start date:05/04/2021
                                                  Path:C:\Windows\System32\svchost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                  Imagebase:0x7ff6eb840000
                                                  File size:51288 bytes
                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:18:58:28
                                                  Start date:05/04/2021
                                                  Path:C:\Windows\System32\svchost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                  Imagebase:0x7ff6eb840000
                                                  File size:51288 bytes
                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >