Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.DownLoader34.9370.22530.6400

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.DownLoader34.9370.22530.6400 (renamed file extension from 6400 to exe)
Analysis ID:255757
MD5:19f6c263014dd09aa205d15e2b36f043
SHA1:65f543d942b03f316795bd310c0dd1dd73d182cb
SHA256:f0df82c8613c5f9fd46cc65b7996a6e6318755411a2dff3d324a8f3d758ea797

Most interesting Screenshot:

Detection

Emotet
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • svchost.exe (PID: 6932 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6984 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 7064 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 7088 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 7032 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5728 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 676 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4852 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4824 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6548 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.547615482.0000000002101000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.547583130.00000000020F0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.281665630.0000000000830000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000000.00000002.281674330.0000000000841000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_02101DA6 CryptDecodeObjectEx,1_2_02101DA6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0044438D __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_0044438D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_004448A3 FindFirstFileA,FindClose,0_2_004448A3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_008428B7 FindFirstFileW,FindNextFileW,FindClose,0_2_008428B7
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_0044438D __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,1_2_0044438D
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_004448A3 FindFirstFileA,FindClose,1_2_004448A3
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_021028B7 FindFirstFileW,FindNextFileW,FindClose,1_2_021028B7

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.6:49733 -> 177.37.81.212:443
          Source: TrafficSnort IDS: 399 ICMP Destination Unreachable Host Unreachable 177.37.81.212: -> 192.168.2.6:
          Source: TrafficSnort IDS: 2404340 ET CNC Feodo Tracker Reported CnC Server TCP group 21 192.168.2.6:49736 -> 74.207.230.187:8080
          Source: TrafficSnort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.6:49741 -> 190.164.75.175:80
          Source: TrafficSnort IDS: 399 ICMP Destination Unreachable Host Unreachable 190.164.75.175: -> 192.168.2.6:
          Source: TrafficSnort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.6:49755 -> 105.209.239.55:80
          Source: global trafficTCP traffic: 192.168.2.6:49736 -> 74.207.230.187:8080
          Source: global trafficTCP traffic: 192.168.2.6:49733 -> 177.37.81.212:443
          Source: global trafficTCP traffic: 192.168.2.6:49741 -> 190.164.75.175:80
          Source: global trafficTCP traffic: 192.168.2.6:49742 -> 87.252.100.28:80
          Source: global trafficTCP traffic: 192.168.2.6:49755 -> 105.209.239.55:80
          Source: unknownTCP traffic detected without corresponding DNS query: 177.37.81.212
          Source: unknownTCP traffic detected without corresponding DNS query: 177.37.81.212
          Source: unknownTCP traffic detected without corresponding DNS query: 177.37.81.212
          Source: unknownTCP traffic detected without corresponding DNS query: 74.207.230.187
          Source: unknownTCP traffic detected without corresponding DNS query: 74.207.230.187
          Source: unknownTCP traffic detected without corresponding DNS query: 74.207.230.187
          Source: unknownTCP traffic detected without corresponding DNS query: 190.164.75.175
          Source: unknownTCP traffic detected without corresponding DNS query: 190.164.75.175
          Source: unknownTCP traffic detected without corresponding DNS query: 190.164.75.175
          Source: unknownTCP traffic detected without corresponding DNS query: 87.252.100.28
          Source: unknownTCP traffic detected without corresponding DNS query: 87.252.100.28
          Source: unknownTCP traffic detected without corresponding DNS query: 87.252.100.28
          Source: unknownTCP traffic detected without corresponding DNS query: 105.209.239.55
          Source: unknownTCP traffic detected without corresponding DNS query: 105.209.239.55
          Source: unknownTCP traffic detected without corresponding DNS query: 105.209.239.55
          Source: svchost.exe, 00000014.00000003.505638749.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
          Source: svchost.exe, 00000014.00000003.505638749.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
          Source: svchost.exe, 00000014.00000003.505638749.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-07-27T07:14:35.6749414Z||.||121f780f-ffc5-478c-bf53-6b53ed02cb1e||1152921505690835751||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2020-07-27T07:13:24.2771771Z","LocalizedProperties":[{"SkuDescript
          Source: svchost.exe, 00000014.00000003.505638749.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-07-27T07:14:35.6749414Z||.||121f780f-ffc5-478c-bf53-6b53ed02cb1e||1152921505690835751||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2020-07-27T07:13:24.2771771Z","LocalizedProperties":[{"SkuDescript
          Source: svchost.exe, 00000014.00000003.505660876.0000021A58365000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN"," equals www.facebook.com (Facebook)
          Source: svchost.exe, 00000014.00000003.505660876.0000021A58365000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN"," equals www.twitter.com (Twitter)
          Source: svchost.exe, 00000014.00000003.500480162.0000021A58363000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Game","Validatio
          Source: svchost.exe, 00000014.00000003.500480162.0000021A58363000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Game","Validatio
          Source: svchost.exe, 00000014.00000003.500480162.0000021A58363000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Game","Validatio
          Source: svchost.exe, 00000014.00000003.500819039.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":423919743,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6","PackageId":"f29b0636-abdc-7df5-2edc-8f3e01650a1f-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
          Source: svchost.exe, 00000014.00000003.500819039.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":423919743,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6","PackageId":"f29b0636-abdc-7df5-2edc-8f3e01650a1f-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
          Source: svchost.exe, 00000014.00000003.500819039.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":423919743,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6","PackageId":"f29b0636-abdc-7df5-2edc-8f3e01650a1f-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.36.3600.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
          Source: svchost.exe, 00000014.00000003.500769949.0000021A583BC000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"
          Source: svchost.exe, 00000014.00000003.500769949.0000021A583BC000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"
          Source: svchost.exe, 00000014.00000003.500769949.0000021A583BC000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"murder game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"
          Source: MSAJApi.exe, 00000001.00000002.547985012.0000000002652000.00000004.00000001.sdmpString found in binary or memory: http://105.209.239.55/rc2rUWrR1/WhJzR/3YX7pj6hn10/Apoo3AlWLaBTFQ7U/a55xDsRyZJiDp4W/2jOmsD0NM3kQAGvOz
          Source: MSAJApi.exe, 00000001.00000003.363510636.0000000002666000.00000004.00000001.sdmpString found in binary or memory: http://177.37.81.212/5k0XtZlSP87y9LxGOQ/VE6ikgbHrHnr2WcWj/7eEueo4Kkdzi/1zCGvKh6vCv/JVZRcMZOC6gyqfQX/
          Source: MSAJApi.exe, 00000001.00000002.547985012.0000000002652000.00000004.00000001.sdmpString found in binary or memory: http://190.164.75.175/NsIRPS47j/FRn5TpUsYaYjIEOK/nCtsOcrY/uih5onx/ueKi4pTgxcPu9MYcS/7MqxAFxdW6MTSSw/
          Source: MSAJApi.exe, 00000001.00000002.547985012.0000000002652000.00000004.00000001.sdmpString found in binary or memory: http://74.207.230.187:8080/mrtJ2jxRQtiI/
          Source: MSAJApi.exe, 00000001.00000002.547985012.0000000002652000.00000004.00000001.sdmpString found in binary or memory: http://74.207.230.187:8080/mrtJ2jxRQtiI/R
          Source: MSAJApi.exe, 00000001.00000002.547191795.0000000000683000.00000004.00000020.sdmp, MSAJApi.exe, 00000001.00000002.547985012.0000000002652000.00000004.00000001.sdmpString found in binary or memory: http://87.252.100.28/KTAEYUeULf/hWnOUo9DGZsHBflK/zzxabm26/TBq7tZmkXTyT9FMZp/pHcFDwS1/
          Source: svchost.exe, 00000014.00000003.497709928.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
          Source: svchost.exe, 00000014.00000003.497709928.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: svchost.exe, 00000014.00000003.497709928.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
          Source: svchost.exe, 00000003.00000002.305179573.0000024FA8C13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
          Source: svchost.exe, 00000014.00000003.500769949.0000021A583BC000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.500480162.0000021A58363000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.500819039.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
          Source: svchost.exe, 00000014.00000003.500769949.0000021A583BC000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.500480162.0000021A58363000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.500819039.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
          Source: svchost.exe, 00000014.00000003.499602360.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/privacy
          Source: svchost.exe, 00000014.00000003.499602360.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/terms
          Source: svchost.exe, 00000003.00000003.304871715.0000024FA8C60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
          Source: svchost.exe, 00000003.00000003.304917338.0000024FA8C49000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 00000003.00000003.304871715.0000024FA8C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
          Source: svchost.exe, 00000003.00000002.305210946.0000024FA8C3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
          Source: svchost.exe, 00000003.00000003.304871715.0000024FA8C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
          Source: svchost.exe, 00000003.00000003.304894888.0000024FA8C4C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
          Source: svchost.exe, 00000003.00000003.282785500.0000024FA8C30000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
          Source: svchost.exe, 00000003.00000002.305210946.0000024FA8C3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
          Source: svchost.exe, 00000003.00000003.304871715.0000024FA8C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
          Source: svchost.exe, 00000003.00000003.304871715.0000024FA8C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
          Source: svchost.exe, 00000003.00000003.304871715.0000024FA8C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
          Source: svchost.exe, 00000003.00000003.304982171.0000024FA8C41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
          Source: svchost.exe, 00000003.00000003.304982171.0000024FA8C41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
          Source: svchost.exe, 00000003.00000003.304871715.0000024FA8C60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
          Source: svchost.exe, 00000003.00000002.305234143.0000024FA8C5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
          Source: svchost.exe, 00000014.00000003.495810793.0000021A58332000.00000004.00000001.sdmpString found in binary or memory: https://displaycatalog.mp.microsoft.c
          Source: svchost.exe, 00000003.00000003.304917338.0000024FA8C49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
          Source: svchost.exe, 00000003.00000002.305234143.0000024FA8C5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
          Source: svchost.exe, 00000003.00000002.305234143.0000024FA8C5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
          Source: svchost.exe, 00000003.00000002.305239650.0000024FA8C61000.00000004.00000001.sdmp, svchost.exe, 00000003.00000003.304917338.0000024FA8C49000.00000004.00000001.sdmp, svchost.exe, 00000003.00000003.304982171.0000024FA8C41000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
          Source: svchost.exe, 00000003.00000003.304871715.0000024FA8C60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
          Source: svchost.exe, 00000003.00000002.305210946.0000024FA8C3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 00000003.00000003.282785500.0000024FA8C30000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
          Source: svchost.exe, 00000014.00000003.500769949.0000021A583BC000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.500480162.0000021A58363000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.500819039.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
          Source: svchost.exe, 00000014.00000003.495490182.0000021A58344000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.495638211.0000021A58355000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.495581675.0000021A58332000.00000004.00000001.sdmpString found in binary or memory: https://picsart.com/privacy-policy?hl=en
          Source: svchost.exe, 00000003.00000002.305210946.0000024FA8C3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
          Source: svchost.exe, 00000003.00000002.305179573.0000024FA8C13000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.305210946.0000024FA8C3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
          Source: svchost.exe, 00000003.00000003.304975669.0000024FA8C45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
          Source: svchost.exe, 00000003.00000003.304975669.0000024FA8C45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
          Source: svchost.exe, 00000003.00000003.282785500.0000024FA8C30000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
          Source: svchost.exe, 00000003.00000003.282785500.0000024FA8C30000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
          Source: svchost.exe, 00000003.00000003.304894888.0000024FA8C4C000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
          Source: svchost.exe, 00000014.00000003.497709928.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
          Source: svchost.exe, 00000014.00000003.499602360.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/ca-privacy-rights
          Source: svchost.exe, 00000014.00000003.499602360.0000021A5833E000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/do-not-sell-my-info
          Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_00401131 SendMessageA,GetKeyState,GetKeyState,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,CloseClipboard,0_2_00401131
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_00401131 SendMessageA,GetKeyState,GetKeyState,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,CloseClipboard,0_2_00401131
          Source: SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exe, 00000000.00000002.281692182.000000000085A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0044082C GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_0044082C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_004528D7 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,0_2_004528D7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_004528EC GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,0_2_004528EC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0043CDD3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0043CDD3
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_0044082C GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_0044082C
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_004528D7 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,1_2_004528D7
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_004528EC GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,1_2_004528EC
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_0043CDD3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,1_2_0043CDD3

          E-Banking Fraud:

          barindex
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 00000001.00000002.547615482.0000000002101000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.547583130.00000000020F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.281665630.0000000000830000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.281674330.0000000000841000.00000020.00000001.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeFile created: C:\Windows\SysWOW64\mmcico\Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeFile deleted: C:\Windows\SysWOW64\mmcico\MSAJApi.exe:Zone.IdentifierJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0041A0B60_2_0041A0B6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_004102C60_2_004102C6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_004104A30_2_004104A3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0042A5900_2_0042A590
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0043F5130_2_0043F513
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_00421A1F0_2_00421A1F
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_0041A0B61_2_0041A0B6
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_004102C61_2_004102C6
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_004104A31_2_004104A3
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_0042A5901_2_0042A590
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_0043F5131_2_0043F513
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_00421A1F1_2_00421A1F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: String function: 004134C8 appears 277 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: String function: 00412B98 appears 48 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: String function: 00455D09 appears 38 times
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: String function: 004134C8 appears 277 times
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: String function: 00412B98 appears 48 times
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: String function: 00455D09 appears 38 times
          Source: SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exe, 00000000.00000002.281650749.0000000000790000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exe, 00000000.00000002.282708034.0000000002F40000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exe, 00000000.00000000.277855638.0000000000493000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCHexEditDemo.EXER vs SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exe, 00000000.00000002.283143234.0000000003040000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exe, 00000000.00000002.283143234.0000000003040000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeBinary or memory string: OriginalFilenameCHexEditDemo.EXER vs SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exe
          Source: classification engineClassification label: mal68.troj.evad.winEXE@15/1@0/6
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_02103529 Process32NextW,CreateToolhelp32Snapshot,FindCloseChangeNotification,1_2_02103529
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0046392F CoCreateInstance,CoCreateInstance,CoCreateInstance,OleRun,0_2_0046392F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0043DBEF __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,0_2_0043DBEF
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7056:120:WilError_01
          Source: SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\mmcico\MSAJApi.exe C:\Windows\SysWOW64\mmcico\MSAJApi.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
          Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeProcess created: C:\Windows\SysWOW64\mmcico\MSAJApi.exe C:\Windows\SysWOW64\mmcico\MSAJApi.exeJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0044112E GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,0_2_0044112E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_00412FD0 push eax; ret 0_2_00412FFE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_004134C8 push eax; ret 0_2_004134E6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_00837864 push 00000071h; iretd 0_2_00837879
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_00412FD0 push eax; ret 1_2_00412FFE
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_004134C8 push eax; ret 1_2_004134E6
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_020F7864 push 00000071h; iretd 1_2_020F7879

          Persistence and Installation Behavior:

          barindex
          Drops executables to the windows directory (C:\Windows) and starts themShow sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeExecutable created and started: C:\Windows\SysWOW64\mmcico\MSAJApi.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exePE file moved: C:\Windows\SysWOW64\mmcico\MSAJApi.exeJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeFile opened: C:\Windows\SysWOW64\mmcico\MSAJApi.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_004080B3 IsIconic,GetWindowPlacement,GetWindowRect,0_2_004080B3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0044E1A5 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_0044E1A5
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_004284A0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,0_2_004284A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0045298F IsWindowVisible,IsIconic,0_2_0045298F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_00401028 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,0_2_00401028
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_00427CF0 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,0_2_00427CF0
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_004080B3 IsIconic,GetWindowPlacement,GetWindowRect,1_2_004080B3
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_0044E1A5 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,1_2_0044E1A5
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_004284A0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,1_2_004284A0
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_0045298F IsWindowVisible,IsIconic,1_2_0045298F
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_00401028 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,1_2_00401028
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_00427CF0 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,1_2_00427CF0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_00456E4D LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,0_2_00456E4D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 6420Thread sleep time: -150000s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 6420Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0044438D __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_0044438D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_004448A3 FindFirstFileA,FindClose,0_2_004448A3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_008428B7 FindFirstFileW,FindNextFileW,FindClose,0_2_008428B7
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_0044438D __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,1_2_0044438D
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_004448A3 FindFirstFileA,FindClose,1_2_004448A3
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_021028B7 FindFirstFileW,FindNextFileW,FindClose,1_2_021028B7
          Source: svchost.exe, 00000007.00000002.332128641.000001F8ECF40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.399008884.000001D36E460000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.473113280.0000028357140000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.487755057.000001ACD9140000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.518987181.0000021A58A00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: MSAJApi.exe, 00000001.00000002.547191795.0000000000683000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWYS
          Source: MSAJApi.exe, 00000001.00000003.363518368.0000000002668000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.517983740.0000021A57AE6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: MSAJApi.exe, 00000001.00000002.547985012.0000000002652000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWh
          Source: svchost.exe, 00000007.00000002.332128641.000001F8ECF40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.399008884.000001D36E460000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.473113280.0000028357140000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.487755057.000001ACD9140000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.518987181.0000021A58A00000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: svchost.exe, 00000007.00000002.332128641.000001F8ECF40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.399008884.000001D36E460000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.473113280.0000028357140000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.487755057.000001ACD9140000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.518987181.0000021A58A00000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: svchost.exe, 00000014.00000002.517824978.0000021A57AA4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: svchost.exe, 00000002.00000002.546646466.000001F671E29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: svchost.exe, 00000007.00000002.332128641.000001F8ECF40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.399008884.000001D36E460000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.473113280.0000028357140000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.487755057.000001ACD9140000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.518987181.0000021A58A00000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0044112E GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,0_2_0044112E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_00830467 mov eax, dword ptr fs:[00000030h]0_2_00830467
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_00832690 mov eax, dword ptr fs:[00000030h]0_2_00832690
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_00832F70 mov eax, dword ptr fs:[00000030h]0_2_00832F70
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_00843631 mov eax, dword ptr fs:[00000030h]0_2_00843631
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_00842D51 mov eax, dword ptr fs:[00000030h]0_2_00842D51
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_020F2690 mov eax, dword ptr fs:[00000030h]1_2_020F2690
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_020F0467 mov eax, dword ptr fs:[00000030h]1_2_020F0467
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_020F2F70 mov eax, dword ptr fs:[00000030h]1_2_020F2F70
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_02103631 mov eax, dword ptr fs:[00000030h]1_2_02103631
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_02102D51 mov eax, dword ptr fs:[00000030h]1_2_02102D51
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0041A8C4 SetUnhandledExceptionFilter,0_2_0041A8C4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0041A8D6 SetUnhandledExceptionFilter,0_2_0041A8D6
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_0041A8C4 SetUnhandledExceptionFilter,1_2_0041A8C4
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: 1_2_0041A8D6 SetUnhandledExceptionFilter,1_2_0041A8D6
          Source: MSAJApi.exe, 00000001.00000002.547480305.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: MSAJApi.exe, 00000001.00000002.547480305.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: MSAJApi.exe, 00000001.00000002.547480305.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Program ManagerNd[\
          Source: MSAJApi.exe, 00000001.00000002.547480305.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,0_2_00422393
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: GetLocaleInfoA,MultiByteToWideChar,0_2_00422450
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,0_2_004224A6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: GetLocaleInfoW,WideCharToMultiByte,0_2_00422569
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,0_2_0041E74E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: EnumSystemLocalesA,0_2_0041E923
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: EnumSystemLocalesA,0_2_0041EBAE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: EnumSystemLocalesA,0_2_0041ECC1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: GetLocaleInfoA,0_2_0041EEB5
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,1_2_00422393
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: GetLocaleInfoA,MultiByteToWideChar,1_2_00422450
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,1_2_004224A6
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: GetLocaleInfoW,WideCharToMultiByte,1_2_00422569
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,1_2_0041E74E
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: EnumSystemLocalesA,1_2_0041E923
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: EnumSystemLocalesA,1_2_0041EBAE
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: EnumSystemLocalesA,1_2_0041ECC1
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeCode function: GetLocaleInfoA,1_2_0041EEB5
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_004156F1 GetLocalTime,GetSystemTime,GetTimeZoneInformation,0_2_004156F1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_0041C6A7 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041C6A7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.22530.exeCode function: 0_2_00456CC9 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,0_2_00456CC9
          Source: C:\Windows\SysWOW64\mmcico\MSAJApi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings:

          barindex
          Changes security center settings (notifications, updates, antivirus, firewall)Show sources
          Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
          Source: svchost.exe, 00000005.00000002.546990808.000002ABC4640000.00000004.00000001.sdmpBinary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: svchost.exe, 00000005.00000002.546969143.000002ABC4629000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

          Stealing of Sensitive Information:

          bar