Analysis Report aVNY4n1VGq

Overview

General Information

Sample Name: aVNY4n1VGq (renamed file extension from none to exe)
Analysis ID: 317599
MD5: c1ff65bb75903f9a2a17dfbc235e219c
SHA1: f8891c4fdc61ccaa1d13fe11f91c16d78bbefdf5
SHA256: de9505e3f631336b8a639315332b145836a9167eb8754f83b661c55c79f792df

Most interesting Screenshot:

Detection

Emotet
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: aVNY4n1VGq.exe Virustotal: Detection: 60% Perma Link
Source: aVNY4n1VGq.exe Metadefender: Detection: 59% Perma Link
Source: aVNY4n1VGq.exe ReversingLabs: Detection: 75%
Source: aVNY4n1VGq.exe Virustotal: Detection: 60% Perma Link
Source: aVNY4n1VGq.exe Metadefender: Detection: 59% Perma Link
Source: aVNY4n1VGq.exe ReversingLabs: Detection: 75%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00402A40 CryptAcquireContextA,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,GetLastError,GetLastError, 0_2_00402A40
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0040D090 CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,GetProcAddress,VirtualAlloc,LoadStringW,LoadStringW,LoadStringW,CreateWindowExW,ShowWindow,UpdateWindow,LoadAcceleratorsW,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW, 0_2_0040D090
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00402970 CryptAcquireContextA, 0_2_00402970
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00402D00 CryptAcquireContextA,CryptAcquireContextA, 0_2_00402D00
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0040CFEE CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,GetProcAddress,VirtualAlloc,LoadStringW,LoadStringW,LoadStringW,CreateWindowExW,ShowWindow,UpdateWindow,LoadAcceleratorsW,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW, 0_2_0040CFEE
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00402A40 CryptAcquireContextA,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,GetLastError,GetLastError, 0_2_00402A40
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0040D090 CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,GetProcAddress,VirtualAlloc,LoadStringW,LoadStringW,LoadStringW,CreateWindowExW,ShowWindow,UpdateWindow,LoadAcceleratorsW,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW, 0_2_0040D090
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00402970 CryptAcquireContextA, 0_2_00402970
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00402D00 CryptAcquireContextA,CryptAcquireContextA, 0_2_00402D00
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0040CFEE CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,GetProcAddress,VirtualAlloc,LoadStringW,LoadStringW,LoadStringW,CreateWindowExW,ShowWindow,UpdateWindow,LoadAcceleratorsW,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW, 0_2_0040CFEE
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00402A40 CryptAcquireContextA,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,GetLastError,GetLastError, 1_2_00402A40
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_0040D090 CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,GetProcAddress,VirtualAlloc,LoadStringW,LoadStringW,LoadStringW,CreateWindowExW,ShowWindow,UpdateWindow,LoadAcceleratorsW,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW, 1_2_0040D090
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00402970 CryptAcquireContextA, 1_2_00402970
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00402D00 CryptAcquireContextA,CryptAcquireContextA, 1_2_00402D00
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_0040CFEE CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,GetProcAddress,VirtualAlloc,LoadStringW,LoadStringW,LoadStringW,CreateWindowExW,ShowWindow,UpdateWindow,LoadAcceleratorsW,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW, 1_2_0040CFEE
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00662130 CryptEncrypt,CryptGetHashParam,memcpy,CryptDuplicateHash,CryptExportKey,CryptDestroyHash, 1_2_00662130
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00662470 CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptCreateHash,CryptAcquireContextW,CryptGenKey, 1_2_00662470
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00661EC8 CryptDecrypt, 1_2_00661EC8
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00661EB0 CryptDecrypt,CryptDuplicateHash,memcpy,CryptDestroyHash,CryptVerifySignatureW, 1_2_00661EB0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0041A475 FindFirstFileExW,_IsRootUNCName,GetDriveTypeW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,FindClose,GetLastError,FindClose, 0_2_0041A475
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0041295F wsprintfW,FindFirstFileExW,GetDriveTypeW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,FindClose,GetLastError,FindClose, 0_2_0041295F
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00407050 SendMessageW,FindWindowW,EnumChildWindows,wsprintfW,FindFirstFileW,FindNextFileW,SendMessageW,SendMessageW,FindNextFileW,FindClose, 0_2_00407050
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00403340 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,wsprintfW,FindFirstFileExW,FindFirstFileExW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,FindNextFileW,GetLastError,SetWindowTextW,FindClose,FindFirstFileExW,wsprintfW,wsprintfW,FindFirstFileExW,wsprintfW,SetWindowTextW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 0_2_00403340
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_004037B0 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,wsprintfW,FindFirstFileExW,PathMatchSpecW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,wsprintfW,SetWindowTextW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 0_2_004037B0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00403B80 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,FindFirstFileExW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,wsprintfW,SetWindowTextW,SetWindowTextW,SendMessageW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 0_2_00403B80
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_006636A0 FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose, 0_2_006636A0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0041A475 FindFirstFileExW,_IsRootUNCName,GetDriveTypeW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,FindClose,GetLastError,FindClose, 0_2_0041A475
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0041295F wsprintfW,FindFirstFileExW,GetDriveTypeW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,FindClose,GetLastError,FindClose, 0_2_0041295F
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00407050 SendMessageW,FindWindowW,EnumChildWindows,wsprintfW,FindFirstFileW,FindNextFileW,SendMessageW,SendMessageW,FindNextFileW,FindClose, 0_2_00407050
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00403340 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,wsprintfW,FindFirstFileExW,FindFirstFileExW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,FindNextFileW,GetLastError,SetWindowTextW,FindClose,FindFirstFileExW,wsprintfW,wsprintfW,FindFirstFileExW,wsprintfW,SetWindowTextW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 0_2_00403340
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_004037B0 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,wsprintfW,FindFirstFileExW,PathMatchSpecW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,wsprintfW,SetWindowTextW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 0_2_004037B0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00403B80 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,FindFirstFileExW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,wsprintfW,SetWindowTextW,SetWindowTextW,SendMessageW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 0_2_00403B80
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_006636A0 FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose, 0_2_006636A0
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_0041A475 FindFirstFileExW,_IsRootUNCName,GetDriveTypeW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,FindClose,GetLastError,FindClose, 1_2_0041A475
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_0041295F wsprintfW,FindFirstFileExW,GetDriveTypeW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,FindClose,GetLastError,FindClose, 1_2_0041295F
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00407050 SendMessageW,FindWindowW,EnumChildWindows,wsprintfW,FindFirstFileW,FindNextFileW,SendMessageW,SendMessageW,FindNextFileW,FindClose, 1_2_00407050
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00403340 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,wsprintfW,FindFirstFileExW,FindFirstFileExW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,FindNextFileW,GetLastError,SetWindowTextW,FindClose,FindFirstFileExW,wsprintfW,wsprintfW,FindFirstFileExW,wsprintfW,SetWindowTextW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 1_2_00403340
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_004037B0 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,wsprintfW,FindFirstFileExW,PathMatchSpecW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,wsprintfW,SetWindowTextW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 1_2_004037B0
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00403B80 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,FindFirstFileExW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,wsprintfW,SetWindowTextW,SetWindowTextW,SendMessageW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 1_2_00403B80
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_006636A0 FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose, 1_2_006636A0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00407200 ShowWindow,GetLogicalDriveStringsW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 0_2_00407200
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00407200 ShowWindow,GetLogicalDriveStringsW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 0_2_00407200

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.2.6:49722 -> 202.22.141.45:80
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.6:49723 -> 37.187.161.206:8080
Source: Traffic Snort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.6:49748 -> 80.87.201.221:7080
Source: Traffic Snort IDS: 2404328 ET CNC Feodo Tracker Reported CnC Server TCP group 15 192.168.2.6:49756 -> 216.47.196.104:80
Source: Traffic Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.6:49758 -> 192.241.143.52:8080
Source: Traffic Snort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.2.6:49722 -> 202.22.141.45:80
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.6:49723 -> 37.187.161.206:8080
Source: Traffic Snort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.6:49748 -> 80.87.201.221:7080
Source: Traffic Snort IDS: 2404328 ET CNC Feodo Tracker Reported CnC Server TCP group 15 192.168.2.6:49756 -> 216.47.196.104:80
Source: Traffic Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.6:49758 -> 192.241.143.52:8080
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49723 -> 37.187.161.206:8080
Source: global traffic TCP traffic: 192.168.2.6:49748 -> 80.87.201.221:7080
Source: global traffic TCP traffic: 192.168.2.6:49723 -> 37.187.161.206:8080
Source: global traffic TCP traffic: 192.168.2.6:49748 -> 80.87.201.221:7080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 202.29.239.162 202.29.239.162
Source: Joe Sandbox View IP Address: 202.29.239.162 202.29.239.162
Source: Joe Sandbox View IP Address: 82.76.111.249 82.76.111.249
Source: Joe Sandbox View IP Address: 82.76.111.249 82.76.111.249
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /AdrldGXV/Bs30cjs4AU3IzZu/xo28V2cMzXuFzgL4H/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 202.22.141.45/AdrldGXV/Bs30cjs4AU3IzZu/xo28V2cMzXuFzgL4H/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------FCyU10uhyaAeHost: 202.22.141.45Content-Length: 4596Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 192.241.143.52/InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------1wtet0WDmimh7Ix1Host: 192.241.143.52:8080Content-Length: 4596Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /AdrldGXV/Bs30cjs4AU3IzZu/xo28V2cMzXuFzgL4H/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 202.22.141.45/AdrldGXV/Bs30cjs4AU3IzZu/xo28V2cMzXuFzgL4H/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------FCyU10uhyaAeHost: 202.22.141.45Content-Length: 4596Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 192.241.143.52/InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------1wtet0WDmimh7Ix1Host: 192.241.143.52:8080Content-Length: 4596Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 202.22.141.45
Source: unknown TCP traffic detected without corresponding DNS query: 202.22.141.45
Source: unknown TCP traffic detected without corresponding DNS query: 202.22.141.45
Source: unknown TCP traffic detected without corresponding DNS query: 202.22.141.45
Source: unknown TCP traffic detected without corresponding DNS query: 202.22.141.45
Source: unknown TCP traffic detected without corresponding DNS query: 202.22.141.45
Source: unknown TCP traffic detected without corresponding DNS query: 202.22.141.45
Source: unknown TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown TCP traffic detected without corresponding DNS query: 202.29.239.162
Source: unknown TCP traffic detected without corresponding DNS query: 202.29.239.162
Source: unknown TCP traffic detected without corresponding DNS query: 202.29.239.162
Source: unknown TCP traffic detected without corresponding DNS query: 80.87.201.221
Source: unknown TCP traffic detected without corresponding DNS query: 80.87.201.221
Source: unknown TCP traffic detected without corresponding DNS query: 80.87.201.221
Source: unknown TCP traffic detected without corresponding DNS query: 82.76.111.249
Source: unknown TCP traffic detected without corresponding DNS query: 82.76.111.249
Source: unknown TCP traffic detected without corresponding DNS query: 82.76.111.249
Source: unknown TCP traffic detected without corresponding DNS query: 216.47.196.104
Source: unknown TCP traffic detected without corresponding DNS query: 216.47.196.104
Source: unknown TCP traffic detected without corresponding DNS query: 216.47.196.104
Source: unknown TCP traffic detected without corresponding DNS query: 192.241.143.52
Source: unknown TCP traffic detected without corresponding DNS query: 192.241.143.52
Source: unknown TCP traffic detected without corresponding DNS query: 192.241.143.52
Source: unknown TCP traffic detected without corresponding DNS query: 192.241.143.52
Source: unknown TCP traffic detected without corresponding DNS query: 192.241.143.52
Source: unknown TCP traffic detected without corresponding DNS query: 192.241.143.52
Source: unknown TCP traffic detected without corresponding DNS query: 192.241.143.52
Source: unknown TCP traffic detected without corresponding DNS query: 202.22.141.45
Source: unknown TCP traffic detected without corresponding DNS query: 202.22.141.45
Source: unknown TCP traffic detected without corresponding DNS query: 202.22.141.45
Source: unknown TCP traffic detected without corresponding DNS query: 202.22.141.45
Source: unknown TCP traffic detected without corresponding DNS query: 202.22.141.45
Source: unknown TCP traffic detected without corresponding DNS query: 202.22.141.45
Source: unknown TCP traffic detected without corresponding DNS query: 202.22.141.45
Source: unknown TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown TCP traffic detected without corresponding DNS query: 202.29.239.162
Source: unknown TCP traffic detected without corresponding DNS query: 202.29.239.162
Source: unknown TCP traffic detected without corresponding DNS query: 202.29.239.162
Source: unknown TCP traffic detected without corresponding DNS query: 80.87.201.221
Source: unknown TCP traffic detected without corresponding DNS query: 80.87.201.221
Source: unknown TCP traffic detected without corresponding DNS query: 80.87.201.221
Source: unknown TCP traffic detected without corresponding DNS query: 82.76.111.249
Source: unknown TCP traffic detected without corresponding DNS query: 82.76.111.249
Source: unknown TCP traffic detected without corresponding DNS query: 82.76.111.249
Source: unknown TCP traffic detected without corresponding DNS query: 216.47.196.104
Source: unknown TCP traffic detected without corresponding DNS query: 216.47.196.104
Source: unknown TCP traffic detected without corresponding DNS query: 216.47.196.104
Source: unknown TCP traffic detected without corresponding DNS query: 192.241.143.52
Source: unknown TCP traffic detected without corresponding DNS query: 192.241.143.52
Source: unknown TCP traffic detected without corresponding DNS query: 192.241.143.52
Source: unknown TCP traffic detected without corresponding DNS query: 192.241.143.52
Source: unknown TCP traffic detected without corresponding DNS query: 192.241.143.52
Source: unknown TCP traffic detected without corresponding DNS query: 192.241.143.52
Source: unknown TCP traffic detected without corresponding DNS query: 192.241.143.52
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_006627C0 HttpQueryInfoW,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,InternetReadFile, 1_2_006627C0
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_006627C0 HttpQueryInfoW,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,InternetReadFile, 1_2_006627C0
Source: svchost.exe, 00000009.00000003.434625295.0000026822336000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000009.00000003.434625295.0000026822336000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000009.00000003.434563577.0000026822376000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-12T09:39:07.5144221Z||.||9288d061-57da-41c3-82f2-684ccacde030||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000009.00000003.434563577.0000026822376000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-12T09:39:07.5144221Z||.||9288d061-57da-41c3-82f2-684ccacde030||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000009.00000003.434548437.000002682236C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE6XrnM equals www.facebook.com (Facebook)
Source: svchost.exe, 00000009.00000003.434548437.000002682236C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE6XrnM equals www.twitter.com (Twitter)
Source: svchost.exe, 00000009.00000003.428001722.0000026822383000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000009.00000003.428001722.0000026822383000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000009.00000003.428001722.0000026822383000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000009.00000003.428050145.0000026822362000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000009.00000003.428050145.0000026822362000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000009.00000003.428050145.0000026822362000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000009.00000003.427987068.0000026822802000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000009.00000003.427987068.0000026822802000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000009.00000003.427987068.0000026822802000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000009.00000003.434625295.0000026822336000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000009.00000003.434625295.0000026822336000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000009.00000003.434563577.0000026822376000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-12T09:39:07.5144221Z||.||9288d061-57da-41c3-82f2-684ccacde030||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000009.00000003.434563577.0000026822376000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-12T09:39:07.5144221Z||.||9288d061-57da-41c3-82f2-684ccacde030||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000009.00000003.434548437.000002682236C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE6XrnM equals www.facebook.com (Facebook)
Source: svchost.exe, 00000009.00000003.434548437.000002682236C000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE6XrnM equals www.twitter.com (Twitter)
Source: svchost.exe, 00000009.00000003.428001722.0000026822383000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000009.00000003.428001722.0000026822383000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000009.00000003.428001722.0000026822383000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000009.00000003.428050145.0000026822362000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000009.00000003.428050145.0000026822362000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000009.00000003.428050145.0000026822362000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000009.00000003.427987068.0000026822802000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000009.00000003.427987068.0000026822802000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000009.00000003.427987068.0000026822802000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: unknown HTTP traffic detected: POST /AdrldGXV/Bs30cjs4AU3IzZu/xo28V2cMzXuFzgL4H/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 202.22.141.45/AdrldGXV/Bs30cjs4AU3IzZu/xo28V2cMzXuFzgL4H/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------FCyU10uhyaAeHost: 202.22.141.45Content-Length: 4596Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /AdrldGXV/Bs30cjs4AU3IzZu/xo28V2cMzXuFzgL4H/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 202.22.141.45/AdrldGXV/Bs30cjs4AU3IzZu/xo28V2cMzXuFzgL4H/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------FCyU10uhyaAeHost: 202.22.141.45Content-Length: 4596Cache-Control: no-cache
Source: find.exe, 00000001.00000002.606155021.000000000261B000.00000004.00000001.sdmp, find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://192.241.143.52:8080/InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/
Source: find.exe, 00000001.00000002.600507508.00000000007DA000.00000004.00000020.sdmp String found in binary or memory: http://192.241.143.52:8080/InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/729;
Source: find.exe, 00000001.00000002.606155021.000000000261B000.00000004.00000001.sdmp String found in binary or memory: http://192.241.143.52:8080/InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/BR
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://192.241.143.52:8080/InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/FF
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://192.241.143.52:8080/InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/GA
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://192.241.143.52:8080/InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/rAPW
Source: find.exe, 00000001.00000003.371859358.00000000025FF000.00000004.00000001.sdmp String found in binary or memory: http://202.22.141.45/AdrldGXV/Bs30cjs4AU3IzZu/xo28V2cMzXuFzgL4H/
Source: find.exe, 00000001.00000002.600507508.00000000007DA000.00000004.00000020.sdmp String found in binary or memory: http://202.22.141.45/AdrldGXV/Bs30cjs4AU3IzZu/xo28V2cMzXuFzgL4H/=
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://216.47.196.104/eSFFw/s8cZJsZCPcRERX/Dt6b5w5D1/wlAysudKzFu4c/v4RYuCTV5XUsjz1/t6xFH6HyPqYxy/
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://216.47.196.104/eSFFw/s8cZJsZCPcRERX/Dt6b5w5D1/wlAysudKzFu4c/v4RYuCTV5XUsjz1/t6xFH6HyPqYxy/&k
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://80.87.201.221:7080/vUSRjjFTSt/
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://80.87.201.221:7080/vUSRjjFTSt/83/bpAbdqWbDm4mH/OGeH4LBv/
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://80.87.201.221:7080/vUSRjjFTSt/vv
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://80.87.201.221:743/21a3Xau9qs542Lq/eolmPO/h86By/bRwlRZ3UlQ3/
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://82.76.111.249:443/21a3Xau9qs542Lq/eolmPO/h86By/bRwlRZ3UlQ3/
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://82.76.111.249:443/21a3Xau9qs542Lq/eolmPO/h86By/bRwlRZ3UlQ3/-
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://82.76.111.249:443/21a3Xau9qs542Lq/eolmPO/h86By/bRwlRZ3UlQ3/ljeW
Source: svchost.exe, 00000009.00000002.449310476.0000026822110000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000009.00000002.449310476.0000026822110000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000000F.00000002.605793335.0000029F5CA14000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000009.00000002.449310476.0000026822110000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000009.00000002.449310476.0000026822110000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 0000000F.00000002.605793335.0000029F5CA14000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 0000000F.00000002.605793335.0000029F5CA14000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 0000000F.00000002.605685192.0000029F5C970000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000009.00000003.427987068.0000026822802000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.428001722.0000026822383000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.428050145.0000026822362000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000009.00000003.427987068.0000026822802000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.428001722.0000026822383000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.428050145.0000026822362000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000009.00000003.426962222.000002682236B000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000009.00000003.426962222.000002682236B000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000009.00000003.433643603.000002682238C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.433770844.0000026822337000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000009.00000003.433643603.000002682238C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.433770844.0000026822337000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.433702025.0000026822368000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000009.00000003.433643603.000002682238C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.433770844.0000026822337000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: https://fs.microsoft.c4/eSFFw/s8cZJsZCPcRERX/Dt6b5w5D1/wlAysudKzFu4c/v4RYuCTV5XUsjz1/t6xFH6HyPqYxy/
Source: svchost.exe, 00000009.00000003.427987068.0000026822802000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.428001722.0000026822383000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.428050145.0000026822362000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: find.exe, 00000001.00000003.371859358.00000000025FF000.00000004.00000001.sdmp String found in binary or memory: https://watson.telemetdrldGXV/Bs30cjs4AU3IzZu/xo28V2cMzXuFzgL4H/
Source: svchost.exe, 00000009.00000003.426962222.000002682236B000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000009.00000003.426962222.000002682236B000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000009.00000003.433643603.000002682238C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.433770844.0000026822337000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000009.00000003.433643603.000002682238C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.433770844.0000026822337000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: find.exe, 00000001.00000002.606155021.000000000261B000.00000004.00000001.sdmp, find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://192.241.143.52:8080/InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/
Source: find.exe, 00000001.00000002.600507508.00000000007DA000.00000004.00000020.sdmp String found in binary or memory: http://192.241.143.52:8080/InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/729;
Source: find.exe, 00000001.00000002.606155021.000000000261B000.00000004.00000001.sdmp String found in binary or memory: http://192.241.143.52:8080/InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/BR
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://192.241.143.52:8080/InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/FF
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://192.241.143.52:8080/InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/GA
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://192.241.143.52:8080/InHXuec0FwJu/uzQT6GP7WIL/3SaseJ06z/rAPW
Source: find.exe, 00000001.00000003.371859358.00000000025FF000.00000004.00000001.sdmp String found in binary or memory: http://202.22.141.45/AdrldGXV/Bs30cjs4AU3IzZu/xo28V2cMzXuFzgL4H/
Source: find.exe, 00000001.00000002.600507508.00000000007DA000.00000004.00000020.sdmp String found in binary or memory: http://202.22.141.45/AdrldGXV/Bs30cjs4AU3IzZu/xo28V2cMzXuFzgL4H/=
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://216.47.196.104/eSFFw/s8cZJsZCPcRERX/Dt6b5w5D1/wlAysudKzFu4c/v4RYuCTV5XUsjz1/t6xFH6HyPqYxy/
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://216.47.196.104/eSFFw/s8cZJsZCPcRERX/Dt6b5w5D1/wlAysudKzFu4c/v4RYuCTV5XUsjz1/t6xFH6HyPqYxy/&k
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://80.87.201.221:7080/vUSRjjFTSt/
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://80.87.201.221:7080/vUSRjjFTSt/83/bpAbdqWbDm4mH/OGeH4LBv/
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://80.87.201.221:7080/vUSRjjFTSt/vv
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://80.87.201.221:743/21a3Xau9qs542Lq/eolmPO/h86By/bRwlRZ3UlQ3/
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://82.76.111.249:443/21a3Xau9qs542Lq/eolmPO/h86By/bRwlRZ3UlQ3/
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://82.76.111.249:443/21a3Xau9qs542Lq/eolmPO/h86By/bRwlRZ3UlQ3/-
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: http://82.76.111.249:443/21a3Xau9qs542Lq/eolmPO/h86By/bRwlRZ3UlQ3/ljeW
Source: svchost.exe, 00000009.00000002.449310476.0000026822110000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000009.00000002.449310476.0000026822110000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000000F.00000002.605793335.0000029F5CA14000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000009.00000002.449310476.0000026822110000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000009.00000002.449310476.0000026822110000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 0000000F.00000002.605793335.0000029F5CA14000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 0000000F.00000002.605793335.0000029F5CA14000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 0000000F.00000002.605685192.0000029F5C970000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000009.00000003.427987068.0000026822802000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.428001722.0000026822383000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.428050145.0000026822362000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000009.00000003.427987068.0000026822802000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.428001722.0000026822383000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.428050145.0000026822362000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000009.00000003.426962222.000002682236B000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000009.00000003.426962222.000002682236B000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000009.00000003.433643603.000002682238C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.433770844.0000026822337000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000009.00000003.433643603.000002682238C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.433770844.0000026822337000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.433702025.0000026822368000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000009.00000003.433643603.000002682238C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.433770844.0000026822337000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp String found in binary or memory: https://fs.microsoft.c4/eSFFw/s8cZJsZCPcRERX/Dt6b5w5D1/wlAysudKzFu4c/v4RYuCTV5XUsjz1/t6xFH6HyPqYxy/
Source: svchost.exe, 00000009.00000003.427987068.0000026822802000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.428001722.0000026822383000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.428050145.0000026822362000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: find.exe, 00000001.00000003.371859358.00000000025FF000.00000004.00000001.sdmp String found in binary or memory: https://watson.telemetdrldGXV/Bs30cjs4AU3IzZu/xo28V2cMzXuFzgL4H/
Source: svchost.exe, 00000009.00000003.426962222.000002682236B000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000009.00000003.426962222.000002682236B000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000009.00000003.433643603.000002682238C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.433770844.0000026822337000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000009.00000003.433643603.000002682238C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.433770844.0000026822337000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0040AC95 SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SetWindowTextW,SetWindowTextW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,MessageBoxW,SendMessageW,SendMessageW,SetWindowTextW,SetWindowTextW,SendMessageW,SendMessageW,SendMessageW,SetFocus,SetFocus,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SetWindowTextW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowTextW,SendMessageW,SendMessageW,SendMessageW,SetFocus,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetAsyncKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,swprintf,swprintf,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowTextW,SetWindowTextW,SendMessageW,SendMessageW,SendMessageW,SetFocus,SendMessageW,SendMessageW,SendMessageW,GetLastError,GetLastError,MessageBoxW,SetFocus,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetFocus,PeekMessageW,DispatchMessageW,GetAsyncKeyState,GetAsyncKeyState,MessageBoxW,SendMessageW,SetFocus,IsWindowVisible,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowTextW,SetWindowTextW,SendMessageW,SendMessageW,ShowWindow,SetFocus,SendMessageW,SendMessageW,GetLastError,GetLastError,SetWindowTextW,SetWindowTextW,SetFocus,SendInput,SendMessageW,SetFocus,SetWindowTextW,SetWindowTextW,SetWindowTextW,SetFocus,MessageBoxW,SendMessageW,SendMessageW,wsprintfW,SetWindowTextW,ShellExecuteW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,MessageBoxW,SendMessageW,SendMessageW,wsprintfW,SetWindowTextW,MessageBoxW,SetFocus,SendInput,SetFocus,GetKeyState,DefWindowProcW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,wsprintfW,wsprintfW,SetWindowTextW,ShellExecuteExW,wsprintfW,SetWindowTextW,ShellExecuteW, 0_2_0040AC95
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0040AC95 SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SetWindowTextW,SetWindowTextW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,MessageBoxW,SendMessageW,SendMessageW,SetWindowTextW,SetWindowTextW,SendMessageW,SendMessageW,SendMessageW,SetFocus,SetFocus,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SetWindowTextW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowTextW,SendMessageW,SendMessageW,SendMessageW,SetFocus,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetAsyncKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,swprintf,swprintf,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowTextW,SetWindowTextW,SendMessageW,SendMessageW,SendMessageW,SetFocus,SendMessageW,SendMessageW,SendMessageW,GetLastError,GetLastError,MessageBoxW,SetFocus,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetFocus,PeekMessageW,DispatchMessageW,GetAsyncKeyState,GetAsyncKeyState,MessageBoxW,SendMessageW,SetFocus,IsWindowVisible,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowTextW,SetWindowTextW,SendMessageW,SendMessageW,ShowWindow,SetFocus,SendMessageW,SendMessageW,GetLastError,GetLastError,SetWindowTextW,SetWindowTextW,SetFocus,SendInput,SendMessageW,SetFocus,SetWindowTextW,SetWindowTextW,SetWindowTextW,SetFocus,MessageBoxW,SendMessageW,SendMessageW,wsprintfW,SetWindowTextW,ShellExecuteW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,MessageBoxW,SendMessageW,SendMessageW,wsprintfW,SetWindowTextW,MessageBoxW,SetFocus,SendInput,SetFocus,GetKeyState,DefWindowProcW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,wsprintfW,wsprintfW,SetWindowTextW,ShellExecuteExW,wsprintfW,SetWindowTextW,ShellExecuteW, 0_2_0040AC95
Creates a DirectInput object (often for capturing keystrokes)
Source: aVNY4n1VGq.exe, 00000000.00000002.336245390.000000000083A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: aVNY4n1VGq.exe, 00000000.00000002.336245390.000000000083A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00409860 FindWindowW,EnumChildWindows,FindWindowW,GetEnvironmentVariableW,FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,EnumChildWindows,EnumChildWindows,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ClientToScreen,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,SetCursorPos,SendInput,SendInput,SendInput,SendInput,SendInput,SendInput,SendInput,SendMessageW,SetEnvironmentVariableW,SendMessageW,SetWindowTextW,SendMessageW,GetWindowTextW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetLastError,GetLastError,GetLastError,SetKeyboardState,GetLastError,SendMessageW,SendMessageW,GetLastError,GetLastError,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyboardState,SetKeyboardState,SendMessageW,SendMessageW,SendMessageW,GetLastError,GetLastError,GetLastError,SetFocus,SendInput,SetKeyboardState,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetLastError,GetLastError,GetLastError,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,MoveWindow,SendMessageW,SetFocus,MoveWindow,DefWindowProcW,SendMessageW,GetAncestor,FindWindowExW,GetClientRect,LoadLibraryW,CreateWindowExW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow, 0_2_00409860
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00409860 FindWindowW,EnumChildWindows,FindWindowW,GetEnvironmentVariableW,FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,EnumChildWindows,EnumChildWindows,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ClientToScreen,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,SetCursorPos,SendInput,SendInput,SendInput,SendInput,SendInput,SendInput,SendInput,SendMessageW,SetEnvironmentVariableW,SendMessageW,SetWindowTextW,SendMessageW,GetWindowTextW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetLastError,GetLastError,GetLastError,SetKeyboardState,GetLastError,SendMessageW,SendMessageW,GetLastError,GetLastError,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyboardState,SetKeyboardState,SendMessageW,SendMessageW,SendMessageW,GetLastError,GetLastError,GetLastError,SetFocus,SendInput,SetKeyboardState,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetLastError,GetLastError,GetLastError,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,MoveWindow,SendMessageW,SetFocus,MoveWindow,DefWindowProcW,SendMessageW,GetAncestor,FindWindowExW,GetClientRect,LoadLibraryW,CreateWindowExW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow, 0_2_00409860
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00409860 FindWindowW,EnumChildWindows,FindWindowW,GetEnvironmentVariableW,FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,EnumChildWindows,EnumChildWindows,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ClientToScreen,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,SetCursorPos,SendInput,SendInput,SendInput,SendInput,SendInput,SendInput,SendInput,SendMessageW,SetEnvironmentVariableW,SendMessageW,SetWindowTextW,SendMessageW,GetWindowTextW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetLastError,GetLastError,GetLastError,SetKeyboardState,GetLastError,SendMessageW,SendMessageW,GetLastError,GetLastError,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyboardState,SetKeyboardState,SendMessageW,SendMessageW,SendMessageW,GetLastError,GetLastError,GetLastError,SetFocus,SendInput,SetKeyboardState,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetLastError,GetLastError,GetLastError,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,MoveWindow,SendMessageW,SetFocus,MoveWindow,DefWindowProcW,SendMessageW,GetAncestor,FindWindowExW,GetClientRect,LoadLibraryW,CreateWindowExW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow, 1_2_00409860

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000000.00000002.336024849.0000000000661000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.335954972.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.600383649.0000000000661000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.600351755.0000000000644000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.600279394.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.335981050.0000000000644000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.aVNY4n1VGq.exe.660000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.find.exe.660000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00662470 CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptCreateHash,CryptAcquireContextW,CryptGenKey, 1_2_00662470
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00662470 CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptCreateHash,CryptAcquireContextW,CryptGenKey, 1_2_00662470

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe File created: C:\Windows\SysWOW64\EmailApis\ Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe File created: C:\Windows\SysWOW64\EmailApis\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe File deleted: C:\Windows\SysWOW64\EmailApis\find.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe File deleted: C:\Windows\SysWOW64\EmailApis\find.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_004180F6 0_2_004180F6
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00434386 0_2_00434386
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00426504 0_2_00426504
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0042051B 0_2_0042051B
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0042E582 0_2_0042E582
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00438603 0_2_00438603
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_004348F1 0_2_004348F1
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_004389AE 0_2_004389AE
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00420A0F 0_2_00420A0F
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0045CDD1 0_2_0045CDD1
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00420E27 0_2_00420E27
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0041CED0 0_2_0041CED0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0042125C 0_2_0042125C
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0040D490 0_2_0040D490
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00407610 0_2_00407610
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00421691 0_2_00421691
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00409860 0_2_00409860
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00407A59 0_2_00407A59
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00435B7F 0_2_00435B7F
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00437D41 0_2_00437D41
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00668210 0_2_00668210
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00667E50 0_2_00667E50
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00666340 0_2_00666340
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00667620 0_2_00667620
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_006639B0 0_2_006639B0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00663B10 0_2_00663B10
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00661BE0 0_2_00661BE0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00663D37 0_2_00663D37
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00663D10 0_2_00663D10
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_004180F6 0_2_004180F6
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00434386 0_2_00434386
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00426504 0_2_00426504
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0042051B 0_2_0042051B
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0042E582 0_2_0042E582
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00438603 0_2_00438603
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_004348F1 0_2_004348F1
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_004389AE 0_2_004389AE
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00420A0F 0_2_00420A0F
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0045CDD1 0_2_0045CDD1
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00420E27 0_2_00420E27
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0041CED0 0_2_0041CED0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0042125C 0_2_0042125C
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0040D490 0_2_0040D490
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00407610 0_2_00407610
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00421691 0_2_00421691
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00409860 0_2_00409860
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00407A59 0_2_00407A59
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00435B7F 0_2_00435B7F
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00437D41 0_2_00437D41
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00668210 0_2_00668210
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00667E50 0_2_00667E50
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00666340 0_2_00666340
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00667620 0_2_00667620
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_006639B0 0_2_006639B0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00663B10 0_2_00663B10
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00661BE0 0_2_00661BE0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00663D37 0_2_00663D37
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00663D10 0_2_00663D10
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_004180F6 1_2_004180F6
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00434386 1_2_00434386
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00426504 1_2_00426504
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_0042051B 1_2_0042051B
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_0042E582 1_2_0042E582
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00438603 1_2_00438603
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_004348F1 1_2_004348F1
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_004389AE 1_2_004389AE
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00420A0F 1_2_00420A0F
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_0045CDD1 1_2_0045CDD1
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00420E27 1_2_00420E27
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_0041CED0 1_2_0041CED0
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_0042125C 1_2_0042125C
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_0040D490 1_2_0040D490
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00407610 1_2_00407610
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00421691 1_2_00421691
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00409860 1_2_00409860
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00407A59 1_2_00407A59
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00435B7F 1_2_00435B7F
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00437D41 1_2_00437D41
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00668210 1_2_00668210
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00666340 1_2_00666340
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00667620 1_2_00667620
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_006639B0 1_2_006639B0
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00663B10 1_2_00663B10
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00661BE0 1_2_00661BE0
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00663D37 1_2_00663D37
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00663D10 1_2_00663D10
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00667E50 1_2_00667E50
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 0045946C appears 110 times
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 0043CA33 appears 32 times
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 0041E75A appears 45 times
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 00418CD0 appears 70 times
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 004125A9 appears 39 times
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 00412F18 appears 58 times
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 0045949F appears 75 times
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 0041151F appears 39 times
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: String function: 0045946C appears 110 times
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: String function: 0043CA33 appears 32 times
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: String function: 0041E75A appears 45 times
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: String function: 00418CD0 appears 70 times
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: String function: 004125A9 appears 39 times
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: String function: 00412F18 appears 58 times
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: String function: 0045949F appears 75 times
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: String function: 0041151F appears 39 times
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 0045946C appears 110 times
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 0043CA33 appears 32 times
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 0041E75A appears 45 times
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 00418CD0 appears 70 times
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 004125A9 appears 39 times
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 00412F18 appears 58 times
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 0045949F appears 75 times
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: String function: 0041151F appears 39 times
PE file contains strange resources
Source: aVNY4n1VGq.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aVNY4n1VGq.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aVNY4n1VGq.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aVNY4n1VGq.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aVNY4n1VGq.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aVNY4n1VGq.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: aVNY4n1VGq.exe, 00000000.00000002.336601255.00000000023A0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs aVNY4n1VGq.exe
Source: aVNY4n1VGq.exe, 00000000.00000002.336601255.00000000023A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs aVNY4n1VGq.exe
Source: aVNY4n1VGq.exe, 00000000.00000002.336533676.0000000002340000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs aVNY4n1VGq.exe
Source: aVNY4n1VGq.exe, 00000000.00000002.336601255.00000000023A0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs aVNY4n1VGq.exe
Source: aVNY4n1VGq.exe, 00000000.00000002.336601255.00000000023A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs aVNY4n1VGq.exe
Source: aVNY4n1VGq.exe, 00000000.00000002.336533676.0000000002340000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs aVNY4n1VGq.exe
Source: classification engine Classification label: mal72.troj.evad.winEXE@7/4@0/8
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: CloseServiceHandle,CreateServiceW,_snwprintf,OpenSCManagerW,CloseServiceHandle, 0_2_006687E0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: CloseServiceHandle,CreateServiceW,_snwprintf,OpenSCManagerW,CloseServiceHandle, 0_2_006687E0
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00664AA0 Process32FirstW,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,CloseHandle,FindCloseChangeNotification, 1_2_00664AA0
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00664AA0 Process32FirstW,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,CloseHandle,FindCloseChangeNotification, 1_2_00664AA0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00664E60 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,OpenServiceW,OpenServiceW,GetProcessHeap,HeapFree, 0_2_00664E60
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00664E60 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,OpenServiceW,OpenServiceW,GetProcessHeap,HeapFree, 0_2_00664E60
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Command line argument: kern 0_2_0040D090
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Command line argument: el32.d 0_2_0040D090
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Command line argument: T5676thdrgddhf 0_2_0040D090
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Command line argument: kern 0_2_0040D090
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Command line argument: el32.d 0_2_0040D090
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Command line argument: T5676thdrgddhf 0_2_0040D090
Source: C:\Windows\SysWOW64\EmailApis\find.exe Command line argument: kern 1_2_0040D090
Source: C:\Windows\SysWOW64\EmailApis\find.exe Command line argument: el32.d 1_2_0040D090
Source: C:\Windows\SysWOW64\EmailApis\find.exe Command line argument: T5676thdrgddhf 1_2_0040D090
Source: aVNY4n1VGq.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: aVNY4n1VGq.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: aVNY4n1VGq.exe Virustotal: Detection: 60%
Source: aVNY4n1VGq.exe Metadefender: Detection: 59%
Source: aVNY4n1VGq.exe ReversingLabs: Detection: 75%
Source: aVNY4n1VGq.exe Virustotal: Detection: 60%
Source: aVNY4n1VGq.exe Metadefender: Detection: 59%
Source: aVNY4n1VGq.exe ReversingLabs: Detection: 75%
Source: unknown Process created: C:\Users\user\Desktop\aVNY4n1VGq.exe 'C:\Users\user\Desktop\aVNY4n1VGq.exe'
Source: unknown Process created: C:\Windows\SysWOW64\EmailApis\find.exe C:\Windows\SysWOW64\EmailApis\find.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Process created: C:\Windows\SysWOW64\EmailApis\find.exe C:\Windows\SysWOW64\EmailApis\find.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\aVNY4n1VGq.exe 'C:\Users\user\Desktop\aVNY4n1VGq.exe'
Source: unknown Process created: C:\Windows\SysWOW64\EmailApis\find.exe C:\Windows\SysWOW64\EmailApis\find.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Process created: C:\Windows\SysWOW64\EmailApis\find.exe C:\Windows\SysWOW64\EmailApis\find.exe Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: aVNY4n1VGq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: aVNY4n1VGq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: aVNY4n1VGq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: aVNY4n1VGq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: aVNY4n1VGq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: aVNY4n1VGq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: aVNY4n1VGq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: aVNY4n1VGq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: aVNY4n1VGq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: aVNY4n1VGq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: aVNY4n1VGq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: aVNY4n1VGq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: aVNY4n1VGq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: aVNY4n1VGq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\DODO\Videos\TwoStageSearch\TwoStageSearch\TwoStageSearch\Release\TwoStageSearch.pdb source: aVNY4n1VGq.exe
Source: Binary string: C:\Users\DODO\Videos\TwoStageSearch\TwoStageSearch\TwoStageSearch\Release\TwoStageSearch.pdb" source: aVNY4n1VGq.exe
Source: Binary string: C:\Users\DODO\Videos\TwoStageSearch\TwoStageSearch\TwoStageSearch\Release\TwoStageSearch.pdb source: aVNY4n1VGq.exe
Source: Binary string: C:\Users\DODO\Videos\TwoStageSearch\TwoStageSearch\TwoStageSearch\Release\TwoStageSearch.pdb" source: aVNY4n1VGq.exe
Source: aVNY4n1VGq.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: aVNY4n1VGq.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: aVNY4n1VGq.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: aVNY4n1VGq.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: aVNY4n1VGq.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: aVNY4n1VGq.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: aVNY4n1VGq.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: aVNY4n1VGq.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: aVNY4n1VGq.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: aVNY4n1VGq.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00641030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_00641030
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00641030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_00641030
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00418D15 push ecx; ret 0_2_00418D28
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0045943A push ecx; ret 0_2_0045944D
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665B70 push ecx; mov dword ptr [esp], 0000C5A7h 0_2_00665B71
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665B30 push ecx; mov dword ptr [esp], 0000FA5Dh 0_2_00665B31
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665B00 push ecx; mov dword ptr [esp], 0000A2E6h 0_2_00665B01
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665BF0 push ecx; mov dword ptr [esp], 0000B897h 0_2_00665BF1
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665BC0 push ecx; mov dword ptr [esp], 000063CCh 0_2_00665BC1
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665C70 push ecx; mov dword ptr [esp], 0000ADB2h 0_2_00665C71
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665C40 push ecx; mov dword ptr [esp], 0000BED0h 0_2_00665C41
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665CD0 push ecx; mov dword ptr [esp], 0000374Ah 0_2_00665CD1
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665D60 push ecx; mov dword ptr [esp], 000022A3h 0_2_00665D61
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665DC0 push ecx; mov dword ptr [esp], 00004963h 0_2_00665DC1
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665D80 push ecx; mov dword ptr [esp], 00000DA6h 0_2_00665D81
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00418D15 push ecx; ret 0_2_00418D28
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0045943A push ecx; ret 0_2_0045944D
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665B70 push ecx; mov dword ptr [esp], 0000C5A7h 0_2_00665B71
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665B30 push ecx; mov dword ptr [esp], 0000FA5Dh 0_2_00665B31
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665B00 push ecx; mov dword ptr [esp], 0000A2E6h 0_2_00665B01
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665BF0 push ecx; mov dword ptr [esp], 0000B897h 0_2_00665BF1
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665BC0 push ecx; mov dword ptr [esp], 000063CCh 0_2_00665BC1
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665C70 push ecx; mov dword ptr [esp], 0000ADB2h 0_2_00665C71
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665C40 push ecx; mov dword ptr [esp], 0000BED0h 0_2_00665C41
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665CD0 push ecx; mov dword ptr [esp], 0000374Ah 0_2_00665CD1
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665D60 push ecx; mov dword ptr [esp], 000022A3h 0_2_00665D61
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665DC0 push ecx; mov dword ptr [esp], 00004963h 0_2_00665DC1
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00665D80 push ecx; mov dword ptr [esp], 00000DA6h 0_2_00665D81
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00418D15 push ecx; ret 1_2_00418D28
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_0045943A push ecx; ret 1_2_0045944D
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00665B70 push ecx; mov dword ptr [esp], 0000C5A7h 1_2_00665B71
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00665B30 push ecx; mov dword ptr [esp], 0000FA5Dh 1_2_00665B31
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00665B00 push ecx; mov dword ptr [esp], 0000A2E6h 1_2_00665B01
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00665BF0 push ecx; mov dword ptr [esp], 0000B897h 1_2_00665BF1
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00665BC0 push ecx; mov dword ptr [esp], 000063CCh 1_2_00665BC1
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00665C70 push ecx; mov dword ptr [esp], 0000ADB2h 1_2_00665C71
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00665C40 push ecx; mov dword ptr [esp], 0000BED0h 1_2_00665C41
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00665CD0 push ecx; mov dword ptr [esp], 0000374Ah 1_2_00665CD1
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00665D60 push ecx; mov dword ptr [esp], 000022A3h 1_2_00665D61
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00665DC0 push ecx; mov dword ptr [esp], 00004963h 1_2_00665DC1
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00665D80 push ecx; mov dword ptr [esp], 00000DA6h 1_2_00665D81

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Executable created and started: C:\Windows\SysWOW64\EmailApis\find.exe Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Executable created and started: C:\Windows\SysWOW64\EmailApis\find.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe PE file moved: C:\Windows\SysWOW64\EmailApis\find.exe Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe PE file moved: C:\Windows\SysWOW64\EmailApis\find.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe File opened: C:\Windows\SysWOW64\EmailApis\find.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe File opened: C:\Windows\SysWOW64\EmailApis\find.exe:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_004180F6 RtlEncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004180F6
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_004180F6 RtlEncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004180F6

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,OpenServiceW,OpenServiceW,GetProcessHeap,HeapFree, 0_2_00664E60
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,OpenServiceW,OpenServiceW,GetProcessHeap,HeapFree, 0_2_00664E60
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6520 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6320 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6520 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6320 Thread sleep time: -30000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0041A475 FindFirstFileExW,_IsRootUNCName,GetDriveTypeW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,FindClose,GetLastError,FindClose, 0_2_0041A475
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0041295F wsprintfW,FindFirstFileExW,GetDriveTypeW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,FindClose,GetLastError,FindClose, 0_2_0041295F
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00407050 SendMessageW,FindWindowW,EnumChildWindows,wsprintfW,FindFirstFileW,FindNextFileW,SendMessageW,SendMessageW,FindNextFileW,FindClose, 0_2_00407050
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00403340 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,wsprintfW,FindFirstFileExW,FindFirstFileExW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,FindNextFileW,GetLastError,SetWindowTextW,FindClose,FindFirstFileExW,wsprintfW,wsprintfW,FindFirstFileExW,wsprintfW,SetWindowTextW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 0_2_00403340
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_004037B0 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,wsprintfW,FindFirstFileExW,PathMatchSpecW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,wsprintfW,SetWindowTextW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 0_2_004037B0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00403B80 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,FindFirstFileExW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,wsprintfW,SetWindowTextW,SetWindowTextW,SendMessageW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 0_2_00403B80
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_006636A0 FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose, 0_2_006636A0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0041A475 FindFirstFileExW,_IsRootUNCName,GetDriveTypeW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,FindClose,GetLastError,FindClose, 0_2_0041A475
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0041295F wsprintfW,FindFirstFileExW,GetDriveTypeW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,FindClose,GetLastError,FindClose, 0_2_0041295F
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00407050 SendMessageW,FindWindowW,EnumChildWindows,wsprintfW,FindFirstFileW,FindNextFileW,SendMessageW,SendMessageW,FindNextFileW,FindClose, 0_2_00407050
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00403340 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,wsprintfW,FindFirstFileExW,FindFirstFileExW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,FindNextFileW,GetLastError,SetWindowTextW,FindClose,FindFirstFileExW,wsprintfW,wsprintfW,FindFirstFileExW,wsprintfW,SetWindowTextW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 0_2_00403340
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_004037B0 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,wsprintfW,FindFirstFileExW,PathMatchSpecW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,wsprintfW,SetWindowTextW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 0_2_004037B0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00403B80 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,FindFirstFileExW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,wsprintfW,SetWindowTextW,SetWindowTextW,SendMessageW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 0_2_00403B80
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_006636A0 FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose, 0_2_006636A0
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_0041A475 FindFirstFileExW,_IsRootUNCName,GetDriveTypeW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,FindClose,GetLastError,FindClose, 1_2_0041A475
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_0041295F wsprintfW,FindFirstFileExW,GetDriveTypeW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,FindClose,GetLastError,FindClose, 1_2_0041295F
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00407050 SendMessageW,FindWindowW,EnumChildWindows,wsprintfW,FindFirstFileW,FindNextFileW,SendMessageW,SendMessageW,FindNextFileW,FindClose, 1_2_00407050
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00403340 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,wsprintfW,FindFirstFileExW,FindFirstFileExW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,FindNextFileW,GetLastError,SetWindowTextW,FindClose,FindFirstFileExW,wsprintfW,wsprintfW,FindFirstFileExW,wsprintfW,SetWindowTextW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 1_2_00403340
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_004037B0 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,wsprintfW,FindFirstFileExW,PathMatchSpecW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,wsprintfW,SetWindowTextW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 1_2_004037B0
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00403B80 FindWindowW,EnumChildWindows,EnumChildWindows,EnumChildWindows,PeekMessageW,PeekMessageW,DispatchMessageW,DispatchMessageW,PeekMessageW,wsprintfW,FindFirstFileExW,SendMessageW,SendMessageW,SendMessageW,wsprintfW,SendMessageW,wsprintfW,SetWindowTextW,SetWindowTextW,SendMessageW,SetWindowTextW,FindNextFileW,GetLastError,SetWindowTextW,FindClose, 1_2_00403B80
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_006636A0 FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose, 1_2_006636A0
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00407200 ShowWindow,GetLogicalDriveStringsW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 0_2_00407200
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00407200 ShowWindow,GetLogicalDriveStringsW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 0_2_00407200
Source: svchost.exe, 00000003.00000002.396223403.000001AFABC60000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.413665225.00000191DDD40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.452693826.0000026822A00000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWp
Source: svchost.exe, 00000009.00000002.448998182.0000026821AA3000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWP
Source: svchost.exe, 0000000F.00000002.606067438.0000029F5CA61000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: find.exe, 00000001.00000003.371859358.00000000025FF000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.449133064.0000026821AEB000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.605995328.0000029F5CA4A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000003.00000002.396223403.000001AFABC60000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.413665225.00000191DDD40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.452693826.0000026822A00000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000003.00000002.396223403.000001AFABC60000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.413665225.00000191DDD40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.452693826.0000026822A00000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000003.00000002.396223403.000001AFABC60000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.413665225.00000191DDD40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.452693826.0000026822A00000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000003.00000002.396223403.000001AFABC60000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.413665225.00000191DDD40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.452693826.0000026822A00000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: find.exe, 00000001.00000002.606127731.00000000025F2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWp
Source: svchost.exe, 00000009.00000002.448998182.0000026821AA3000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWP
Source: svchost.exe, 0000000F.00000002.606067438.0000029F5CA61000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: find.exe, 00000001.00000003.371859358.00000000025FF000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.449133064.0000026821AEB000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.605995328.0000029F5CA4A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000003.00000002.396223403.000001AFABC60000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.413665225.00000191DDD40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.452693826.0000026822A00000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000003.00000002.396223403.000001AFABC60000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.413665225.00000191DDD40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.452693826.0000026822A00000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000003.00000002.396223403.000001AFABC60000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.413665225.00000191DDD40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.452693826.0000026822A00000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\EmailApis\find.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\EmailApis\find.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00413029 IsDebuggerPresent, 0_2_00413029
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00413029 IsDebuggerPresent, 0_2_00413029
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_004293E7 EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_004293E7
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_004293E7 EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_004293E7
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00641030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_00641030
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00641030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_00641030
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00664C10 mov eax, dword ptr fs:[00000030h] 0_2_00664C10
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00663D10 mov eax, dword ptr fs:[00000030h] 0_2_00663D10
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00641030 mov eax, dword ptr fs:[00000030h] 0_2_00641030
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00664C10 mov eax, dword ptr fs:[00000030h] 0_2_00664C10
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00663D10 mov eax, dword ptr fs:[00000030h] 0_2_00663D10
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00641030 mov eax, dword ptr fs:[00000030h] 0_2_00641030
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00664C10 mov eax, dword ptr fs:[00000030h] 1_2_00664C10
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00663D10 mov eax, dword ptr fs:[00000030h] 1_2_00663D10
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_00641030 mov eax, dword ptr fs:[00000030h] 1_2_00641030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0042AA35 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,SetEndOfFile,GetLastError, 0_2_0042AA35
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0042AA35 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,SetEndOfFile,GetLastError, 0_2_0042AA35
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0041BDF2 SetUnhandledExceptionFilter, 0_2_0041BDF2
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0041BE23 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041BE23
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0041BDF2 SetUnhandledExceptionFilter, 0_2_0041BDF2
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_0041BE23 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041BE23
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_0041BDF2 SetUnhandledExceptionFilter, 1_2_0041BDF2
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: 1_2_0041BE23 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0041BE23
Source: find.exe, 00000001.00000002.600740792.0000000000D60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: find.exe, 00000001.00000002.600740792.0000000000D60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: find.exe, 00000001.00000002.600740792.0000000000D60000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: find.exe, 00000001.00000002.600740792.0000000000D60000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: find.exe, 00000001.00000002.600740792.0000000000D60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: find.exe, 00000001.00000002.600740792.0000000000D60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: find.exe, 00000001.00000002.600740792.0000000000D60000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: find.exe, 00000001.00000002.600740792.0000000000D60000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00413DA5 cpuid 0_2_00413DA5
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: 0_2_00413DA5 cpuid 0_2_00413DA5
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: IsValidCodePage,GetLocaleInfoW, 0_2_00424264
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: EnumSystemLocalesW, 0_2_004244D8
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: EnumSystemLocalesW, 0_2_00424534
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: EnumSystemLocalesW, 0_2_004245B1
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00424634
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: GetLocaleInfoW, 0_2_00424829
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00424953
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: GetLocaleInfoW, 0_2_00424A00
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00424AD4
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: EnumSystemLocalesW, 0_2_00424E79
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: GetLocaleInfoW, 0_2_00424EFF
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: IsValidCodePage,GetLocaleInfoW, 0_2_00424264
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: EnumSystemLocalesW, 0_2_004244D8
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: EnumSystemLocalesW, 0_2_00424534
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: EnumSystemLocalesW, 0_2_004245B1
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00424634
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: GetLocaleInfoW, 0_2_00424829
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00424953
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: GetLocaleInfoW, 0_2_00424A00
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00424AD4
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: EnumSystemLocalesW, 0_2_00424E79
Source: C:\Users\user\Desktop\aVNY4n1VGq.exe Code function: GetLocaleInfoW, 0_2_00424EFF
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: IsValidCodePage,GetLocaleInfoW, 1_2_00424264
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: EnumSystemLocalesW, 1_2_004244D8
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: EnumSystemLocalesW, 1_2_00424534
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: EnumSystemLocalesW, 1_2_004245B1
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_00424634
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: GetLocaleInfoW, 1_2_00424829
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_00424953
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: GetLocaleInfoW, 1_2_00424A00
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_00424AD4
Source: C:\Windows\SysWOW64\EmailApis\find.exe Code function: EnumSystemLocalesW, 1_2_00424E79