Analysis Report idWMSrWvoE

Overview

General Information

Sample Name: idWMSrWvoE (renamed file extension from none to exe)
Analysis ID: 317600
MD5: be909e1d506e47ac34ec4702a6496e7b
SHA1: 9e16225736a7672a54c9d5585462971476ad28b4
SHA256: 2cbc79f13459c7dafd0af9574103453ba5cde8336c8117798a5b03d82da0abea

Most interesting Screenshot:

Detection

Emotet
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000002.00000002.473344049.00000000004AE000.00000004.00000020.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["190.202.229.74:80", "118.69.11.81:7080", "70.39.251.94:8080", "87.230.25.43:8080", "94.23.62.116:8080", "37.187.161.206:8080", "45.46.37.97:80", "138.97.60.141:7080", "177.144.130.105:8080", "169.1.39.242:80", "209.236.123.42:8080", "202.134.4.210:7080", "193.251.77.110:80", "2.45.176.233:80", "217.13.106.14:8080", "189.223.16.99:80", "190.101.156.139:80", "77.238.212.227:80", "181.58.181.9:80", "37.183.81.217:80", "74.58.215.226:80", "174.118.202.24:443", "168.197.45.36:80", "81.215.230.173:443", "192.175.111.212:7080", "216.47.196.104:80", "128.92.203.42:80", "94.176.234.118:443", "191.182.6.118:80", "212.71.237.140:8080", "24.232.228.233:80", "177.73.0.98:443", "177.23.7.151:80", "24.135.69.146:80", "83.169.21.32:7080", "189.34.181.88:80", "179.222.115.170:80", "177.144.130.105:443", "213.197.182.158:8080", "5.89.33.136:80", "77.78.196.173:443", "120.72.18.91:80", "50.28.51.143:8080", "190.64.88.186:443", "111.67.12.221:8080", "12.162.84.2:8080", "46.105.114.137:8080", "59.148.253.194:8080", "201.213.177.139:80", "82.76.52.155:80", "172.104.169.32:8080", "188.251.213.180:80", "46.43.2.95:8080", "137.74.106.111:7080", "188.135.15.49:80", "185.94.252.27:443", "197.232.36.108:80", "60.249.78.226:8080", "187.162.248.237:80", "181.129.96.162:8080", "46.101.58.37:8080", "109.242.153.9:80", "178.211.45.66:8080", "200.59.6.174:80", "83.103.179.156:80", "172.86.186.21:8080", "70.32.115.157:8080", "81.214.253.80:443", "201.49.239.200:443", "149.202.72.142:7080", "190.45.24.210:80", "186.189.249.2:80", "219.92.13.25:80", "170.81.48.2:80", "51.75.33.127:80", "192.241.143.52:8080", "45.33.77.42:8080", "152.169.22.67:80", "1.226.84.243:8080", "78.206.229.130:80", "37.179.145.105:80", "68.183.170.114:8080", "192.232.229.54:7080", "103.236.179.162:80", "70.32.84.74:8080", "79.118.74.90:80", "60.93.23.51:80", "181.120.29.49:80", "213.52.74.198:80", "51.255.165.160:8080", "183.176.82.231:80", "186.193.229.123:80", "98.103.204.12:443", "129.232.220.11:8080", "181.61.182.143:80", "68.183.190.199:8080", "190.115.18.139:8080", "200.24.255.23:80", "103.13.224.53:80", "85.214.26.7:8080", "190.24.243.186:80", "87.106.46.107:8080", "177.107.79.214:8080", "12.163.208.58:80", "187.162.250.23:443", "109.101.137.162:8080", "82.76.111.249:443", "181.30.61.163:443", "5.196.35.138:7080", "51.15.7.145:80", "192.198.91.138:443", "188.157.101.114:80", "189.2.177.210:443", "181.123.6.86:80", "109.190.35.249:80", "45.16.226.117:443", "190.190.219.184:80", "104.131.41.185:8080", "101.187.81.254:80", "62.84.75.50:80", "178.250.54.208:8080", "201.71.228.86:80", "190.92.122.226:80", "190.202.229.74:80", "118.69.11.81:7080", "70.39.251.94:8080", "87.230.25.43:8080", "94.23.62.116:8080", "37.187.161.206:8080", "45.46.37.97:80", "138.97.60.141:7080", "177.144.130.105:8080", "169.1.39.242:80", "209.236.123.42:8080", "202.134.4.210:7080", "193.251.77.110:80", "2.45.176.233:80", "217.13.106.14:8080", "189.223.16.99:80", "190.101.156.139:80", "77.238.212.227:80", "181.58
Source: 00000002.00000002.473344049.00000000004AE000.00000004.00000020.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["190.202.229.74:80", "118.69.11.81:7080", "70.39.251.94:8080", "87.230.25.43:8080", "94.23.62.116:8080", "37.187.161.206:8080", "45.46.37.97:80", "138.97.60.141:7080", "177.144.130.105:8080", "169.1.39.242:80", "209.236.123.42:8080", "202.134.4.210:7080", "193.251.77.110:80", "2.45.176.233:80", "217.13.106.14:8080", "189.223.16.99:80", "190.101.156.139:80", "77.238.212.227:80", "181.58.181.9:80", "37.183.81.217:80", "74.58.215.226:80", "174.118.202.24:443", "168.197.45.36:80", "81.215.230.173:443", "192.175.111.212:7080", "216.47.196.104:80", "128.92.203.42:80", "94.176.234.118:443", "191.182.6.118:80", "212.71.237.140:8080", "24.232.228.233:80", "177.73.0.98:443", "177.23.7.151:80", "24.135.69.146:80", "83.169.21.32:7080", "189.34.181.88:80", "179.222.115.170:80", "177.144.130.105:443", "213.197.182.158:8080", "5.89.33.136:80", "77.78.196.173:443", "120.72.18.91:80", "50.28.51.143:8080", "190.64.88.186:443", "111.67.12.221:8080", "12.162.84.2:8080", "46.105.114.137:8080", "59.148.253.194:8080", "201.213.177.139:80", "82.76.52.155:80", "172.104.169.32:8080", "188.251.213.180:80", "46.43.2.95:8080", "137.74.106.111:7080", "188.135.15.49:80", "185.94.252.27:443", "197.232.36.108:80", "60.249.78.226:8080", "187.162.248.237:80", "181.129.96.162:8080", "46.101.58.37:8080", "109.242.153.9:80", "178.211.45.66:8080", "200.59.6.174:80", "83.103.179.156:80", "172.86.186.21:8080", "70.32.115.157:8080", "81.214.253.80:443", "201.49.239.200:443", "149.202.72.142:7080", "190.45.24.210:80", "186.189.249.2:80", "219.92.13.25:80", "170.81.48.2:80", "51.75.33.127:80", "192.241.143.52:8080", "45.33.77.42:8080", "152.169.22.67:80", "1.226.84.243:8080", "78.206.229.130:80", "37.179.145.105:80", "68.183.170.114:8080", "192.232.229.54:7080", "103.236.179.162:80", "70.32.84.74:8080", "79.118.74.90:80", "60.93.23.51:80", "181.120.29.49:80", "213.52.74.198:80", "51.255.165.160:8080", "183.176.82.231:80", "186.193.229.123:80", "98.103.204.12:443", "129.232.220.11:8080", "181.61.182.143:80", "68.183.190.199:8080", "190.115.18.139:8080", "200.24.255.23:80", "103.13.224.53:80", "85.214.26.7:8080", "190.24.243.186:80", "87.106.46.107:8080", "177.107.79.214:8080", "12.163.208.58:80", "187.162.250.23:443", "109.101.137.162:8080", "82.76.111.249:443", "181.30.61.163:443", "5.196.35.138:7080", "51.15.7.145:80", "192.198.91.138:443", "188.157.101.114:80", "189.2.177.210:443", "181.123.6.86:80", "109.190.35.249:80", "45.16.226.117:443", "190.190.219.184:80", "104.131.41.185:8080", "101.187.81.254:80", "62.84.75.50:80", "178.250.54.208:8080", "201.71.228.86:80", "190.92.122.226:80", "190.202.229.74:80", "118.69.11.81:7080", "70.39.251.94:8080", "87.230.25.43:8080", "94.23.62.116:8080", "37.187.161.206:8080", "45.46.37.97:80", "138.97.60.141:7080", "177.144.130.105:8080", "169.1.39.242:80", "209.236.123.42:8080", "202.134.4.210:7080", "193.251.77.110:80", "2.45.176.233:80", "217.13.106.14:8080", "189.223.16.99:80", "190.101.156.139:80", "77.238.212.227:80", "181.58
Multi AV Scanner detection for submitted file
Source: idWMSrWvoE.exe Virustotal: Detection: 62% Perma Link
Source: idWMSrWvoE.exe Metadefender: Detection: 45% Perma Link
Source: idWMSrWvoE.exe ReversingLabs: Detection: 62%
Source: idWMSrWvoE.exe Virustotal: Detection: 62% Perma Link
Source: idWMSrWvoE.exe Metadefender: Detection: 45% Perma Link
Source: idWMSrWvoE.exe ReversingLabs: Detection: 62%
Machine Learning detection for sample
Source: idWMSrWvoE.exe Joe Sandbox ML: detected
Source: idWMSrWvoE.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 2_2_022B2680
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B22C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam, 2_2_022B22C0
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B1FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap, 2_2_022B1FF0
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 2_2_022B2680
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B22C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam, 2_2_022B22C0
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B1FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap, 2_2_022B1FF0
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 1_2_02BF3A20
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 1_2_02BF3A20
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 2_2_022B3A20

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.3:49708 -> 190.202.229.74:80
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.3:49723 -> 118.69.11.81:7080
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49726 -> 70.39.251.94:8080
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.3:49745 -> 87.230.25.43:8080
Source: Traffic Snort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.3:49746 -> 94.23.62.116:8080
Source: Traffic Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.3:49708 -> 190.202.229.74:80
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.3:49723 -> 118.69.11.81:7080
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49726 -> 70.39.251.94:8080
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.3:49745 -> 87.230.25.43:8080
Source: Traffic Snort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.3:49746 -> 94.23.62.116:8080
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49723 -> 118.69.11.81:7080
Source: global traffic TCP traffic: 192.168.2.3:49726 -> 70.39.251.94:8080
Source: global traffic TCP traffic: 192.168.2.3:49745 -> 87.230.25.43:8080
Source: global traffic TCP traffic: 192.168.2.3:49746 -> 94.23.62.116:8080
Source: global traffic TCP traffic: 192.168.2.3:49723 -> 118.69.11.81:7080
Source: global traffic TCP traffic: 192.168.2.3:49726 -> 70.39.251.94:8080
Source: global traffic TCP traffic: 192.168.2.3:49745 -> 87.230.25.43:8080
Source: global traffic TCP traffic: 192.168.2.3:49746 -> 94.23.62.116:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 87.230.25.43 87.230.25.43
Source: Joe Sandbox View IP Address: 87.230.25.43 87.230.25.43
Source: Joe Sandbox View IP Address: 94.23.62.116 94.23.62.116
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox View ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: Joe Sandbox View ASN Name: CANTVServiciosVenezuelaVE CANTVServiciosVenezuelaVE
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.3:49708 -> 190.202.229.74:80
Source: global traffic TCP traffic: 192.168.2.3:49708 -> 190.202.229.74:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /nfeQEXucjiq82zC5/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------fwd09PYMF4gQf98AEyXWUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4612Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /nfeQEXucjiq82zC5/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------fwd09PYMF4gQf98AEyXWUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4612Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: svchost.exe, 00000010.00000002.333256024.0000021A88313000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000010.00000002.333256024.0000021A88313000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000010.00000003.321264410.0000021A88373000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-12T09:39:07.5144221Z||.||9288d061-57da-41c3-82f2-684ccacde030||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000010.00000003.321264410.0000021A88373000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-12T09:39:07.5144221Z||.||9288d061-57da-41c3-82f2-684ccacde030||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000010.00000003.321300778.0000021A8836A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI",5 equals www.facebook.com (Facebook)
Source: svchost.exe, 00000010.00000003.321300778.0000021A8836A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI",5 equals www.twitter.com (Twitter)
Source: svchost.exe, 00000010.00000003.312665383.0000021A8837E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000010.00000003.312665383.0000021A8837E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000010.00000003.312665383.0000021A8837E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000010.00000003.312837545.0000021A8835C000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000010.00000003.312837545.0000021A8835C000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000010.00000003.312837545.0000021A8835C000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000010.00000003.312690799.0000021A883BE000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000010.00000003.312690799.0000021A883BE000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000010.00000003.312690799.0000021A883BE000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000010.00000002.333256024.0000021A88313000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000010.00000002.333256024.0000021A88313000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000010.00000003.321264410.0000021A88373000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-12T09:39:07.5144221Z||.||9288d061-57da-41c3-82f2-684ccacde030||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000010.00000003.321264410.0000021A88373000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-12T09:39:07.5144221Z||.||9288d061-57da-41c3-82f2-684ccacde030||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000010.00000003.321300778.0000021A8836A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI",5 equals www.facebook.com (Facebook)
Source: svchost.exe, 00000010.00000003.321300778.0000021A8836A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI",5 equals www.twitter.com (Twitter)
Source: svchost.exe, 00000010.00000003.312665383.0000021A8837E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000010.00000003.312665383.0000021A8837E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000010.00000003.312665383.0000021A8837E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000010.00000003.312837545.0000021A8835C000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000010.00000003.312837545.0000021A8835C000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000010.00000003.312837545.0000021A8835C000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000010.00000003.312690799.0000021A883BE000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000010.00000003.312690799.0000021A883BE000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000010.00000003.312690799.0000021A883BE000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: unknown HTTP traffic detected: POST /nfeQEXucjiq82zC5/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------fwd09PYMF4gQf98AEyXWUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4612Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /nfeQEXucjiq82zC5/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------fwd09PYMF4gQf98AEyXWUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4612Cache-Control: no-cache
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://118.69.11.81:7080/w0zhJJ/Xo37fDZ10EAUvW/Ivl77pV9i0HvESO7Qm7/
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/nNI6xxtArQrOrZiIkg/RPH597xj8/ZL8CK1/
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/ZgOU/HBN3/HkA7/
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000003.410577480.0000000002E8A000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/ZgOU/HBN3/HkA7/7/
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/ZgOU/HBN3/HkA7/7V
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/ZgOU/HBN3/HkA7/EAUvW/Ivl77pV9i0HvESO7Qm7/Y
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000003.410577480.0000000002E8A000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/ZgOU/HBN3/HkA7/lesi
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/nfeQEXucjiq82zC5/
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/nfeQEXucjiq82zC5/5
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/nfeQEXucjiq82zC5/?
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/nfeQEXucjiq82zC5/M
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/nfeQEXucjiq82zC5/q
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/nfeQEXucjiq82zC5/v
Source: svchost.exe, 00000010.00000002.333009653.0000021A87AEF000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000010.00000002.333009653.0000021A87AEF000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000003.00000002.478663013.0000017671289000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000010.00000002.333009653.0000021A87AEF000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000010.00000002.333009653.0000021A87AEF000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000003.00000002.478663013.0000017671289000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000003.00000002.478663013.0000017671289000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000003.00000002.477853836.00000176710B0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000003.00000002.474506870.000001766BAAA000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/e
Source: svchost.exe, 0000000B.00000002.311131690.0000025F76013000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000010.00000003.312665383.0000021A8837E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.312690799.0000021A883BE000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.312837545.0000021A8835C000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000010.00000003.312665383.0000021A8837E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.312690799.0000021A883BE000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.312837545.0000021A8835C000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000010.00000003.311780297.0000021A8835B000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000010.00000003.311780297.0000021A8835B000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000008.00000002.473666295.000002D8B1C3D000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000008.00000002.473666295.000002D8B1C3D000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000008.00000002.473666295.000002D8B1C3D000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000008.00000002.473666295.000002D8B1C3D000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000002.473666295.000002D8B1C3D000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000010.00000003.320538040.0000021A8836E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.320704604.0000021A88324000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000010.00000003.320538040.0000021A8836E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.320704604.0000021A88324000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.320523356.0000021A88366000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000B.00000003.310291045.0000025F7605A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.311156778.0000025F7603C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.311156778.0000025F7603C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000002.311162931.0000025F76042000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000002.311162931.0000025F76042000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000003.310291045.0000025F7605A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.310352579.0000025F76040000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000010.00000003.311523088.0000021A88333000.00000004.00000001.sdmp String found in binary or memory: https://displaycatalog.mp
Source: svchost.exe, 0000000B.00000003.310291045.0000025F7605A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.310291045.0000025F7605A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.310291045.0000025F7605A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.310324926.0000025F76045000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.310291045.0000025F7605A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.311162931.0000025F76042000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.310341968.0000025F76056000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.311156778.0000025F7603C000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.287974151.0000025F76031000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000010.00000003.320538040.0000021A8836E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.320704604.0000021A88324000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000010.00000003.312665383.0000021A8837E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.312690799.0000021A883BE000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.312837545.0000021A8835C000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 0000000B.00000002.311156778.0000025F7603C000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.311131690.0000025F76013000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.311156778.0000025F7603C000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.310341968.0000025F76056000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.310341968.0000025F76056000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.287974151.0000025F76031000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000003.287974151.0000025F76031000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000003.310324926.0000025F76045000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000010.00000003.311780297.0000021A8835B000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000010.00000003.311780297.0000021A8835B000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000010.00000003.320538040.0000021A8836E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.320704604.0000021A88324000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000010.00000003.320538040.0000021A8836E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.320704604.0000021A88324000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://118.69.11.81:7080/w0zhJJ/Xo37fDZ10EAUvW/Ivl77pV9i0HvESO7Qm7/
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/nNI6xxtArQrOrZiIkg/RPH597xj8/ZL8CK1/
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/ZgOU/HBN3/HkA7/
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000003.410577480.0000000002E8A000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/ZgOU/HBN3/HkA7/7/
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/ZgOU/HBN3/HkA7/7V
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/ZgOU/HBN3/HkA7/EAUvW/Ivl77pV9i0HvESO7Qm7/Y
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000003.410577480.0000000002E8A000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/ZgOU/HBN3/HkA7/lesi
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/nfeQEXucjiq82zC5/
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/nfeQEXucjiq82zC5/5
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/nfeQEXucjiq82zC5/?
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/nfeQEXucjiq82zC5/M
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/nfeQEXucjiq82zC5/q
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/nfeQEXucjiq82zC5/v
Source: svchost.exe, 00000010.00000002.333009653.0000021A87AEF000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000010.00000002.333009653.0000021A87AEF000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000003.00000002.478663013.0000017671289000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000010.00000002.333009653.0000021A87AEF000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000010.00000002.333009653.0000021A87AEF000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000003.00000002.478663013.0000017671289000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000003.00000002.478663013.0000017671289000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000003.00000002.477853836.00000176710B0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000003.00000002.474506870.000001766BAAA000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/e
Source: svchost.exe, 0000000B.00000002.311131690.0000025F76013000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000010.00000003.312665383.0000021A8837E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.312690799.0000021A883BE000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.312837545.0000021A8835C000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000010.00000003.312665383.0000021A8837E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.312690799.0000021A883BE000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.312837545.0000021A8835C000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000010.00000003.311780297.0000021A8835B000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000010.00000003.311780297.0000021A8835B000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000008.00000002.473666295.000002D8B1C3D000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000008.00000002.473666295.000002D8B1C3D000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000008.00000002.473666295.000002D8B1C3D000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000008.00000002.473666295.000002D8B1C3D000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000002.473666295.000002D8B1C3D000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000010.00000003.320538040.0000021A8836E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.320704604.0000021A88324000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000010.00000003.320538040.0000021A8836E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.320704604.0000021A88324000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.320523356.0000021A88366000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000B.00000003.310291045.0000025F7605A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.311156778.0000025F7603C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.311156778.0000025F7603C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000002.311162931.0000025F76042000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000002.311162931.0000025F76042000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000003.310291045.0000025F7605A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.310352579.0000025F76040000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000010.00000003.311523088.0000021A88333000.00000004.00000001.sdmp String found in binary or memory: https://displaycatalog.mp
Source: svchost.exe, 0000000B.00000003.310291045.0000025F7605A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.310291045.0000025F7605A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.310291045.0000025F7605A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.310324926.0000025F76045000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.310291045.0000025F7605A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.311162931.0000025F76042000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.310341968.0000025F76056000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.310229599.0000025F7605F000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.311156778.0000025F7603C000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.287974151.0000025F76031000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000010.00000003.320538040.0000021A8836E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.320704604.0000021A88324000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000010.00000003.312665383.0000021A8837E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.312690799.0000021A883BE000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.312837545.0000021A8835C000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 0000000B.00000002.311156778.0000025F7603C000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.311131690.0000025F76013000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.311156778.0000025F7603C000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.310341968.0000025F76056000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.310341968.0000025F76056000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.287974151.0000025F76031000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000003.287974151.0000025F76031000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000003.310324926.0000025F76045000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000010.00000003.311780297.0000021A8835B000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000010.00000003.311780297.0000021A8835B000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000010.00000003.320538040.0000021A8836E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.320704604.0000021A88324000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000010.00000003.320538040.0000021A8836E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.320704604.0000021A88324000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000002.00000002.473344049.00000000004AE000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.212747203.0000000002BF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.212084760.0000000000631000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.474635220.00000000022B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.211614654.0000000000631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.idWMSrWvoE.exe.2bf0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows.Networking.Sockets.PushEnabledApplication.exe.22b0000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 2_2_022B2680
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 2_2_022B2680

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BE01F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory, 1_2_02BE01F0
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BE01F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory, 1_2_02BE01F0
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022A01F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory, 2_2_022A01F0
Creates files inside the system directory
Source: C:\Users\user\Desktop\idWMSrWvoE.exe File created: C:\Windows\SysWOW64\mfc120esn\ Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe File created: C:\Windows\SysWOW64\mfc120esn\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\idWMSrWvoE.exe File deleted: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe File deleted: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_00436010 1_2_00436010
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_0040B982 1_2_0040B982
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_0040B73E 1_2_0040B73E
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF86F0 1_2_02BF86F0
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF8330 1_2_02BF8330
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF3EE0 1_2_02BF3EE0
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF42C9 1_2_02BF42C9
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF7B30 1_2_02BF7B30
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF3CE0 1_2_02BF3CE0
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF6860 1_2_02BF6860
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF41B7 1_2_02BF41B7
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF4190 1_2_02BF4190
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_00436010 1_2_00436010
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_0040B982 1_2_0040B982
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_0040B73E 1_2_0040B73E
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF86F0 1_2_02BF86F0
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF8330 1_2_02BF8330
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF3EE0 1_2_02BF3EE0
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF42C9 1_2_02BF42C9
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF7B30 1_2_02BF7B30
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF3CE0 1_2_02BF3CE0
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF6860 1_2_02BF6860
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF41B7 1_2_02BF41B7
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF4190 1_2_02BF4190
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B86F0 2_2_022B86F0
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B8330 2_2_022B8330
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B7B30 2_2_022B7B30
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B6860 2_2_022B6860
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B41B7 2_2_022B41B7
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B4190 2_2_022B4190
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B3CE0 2_2_022B3CE0
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B3EE0 2_2_022B3EE0
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B42C9 2_2_022B42C9
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: String function: 004275D0 appears 38 times
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: String function: 004275D0 appears 38 times
Sample file is different than original file name gathered from version info
Source: idWMSrWvoE.exe, 00000001.00000000.208986325.0000000000452000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBCoder.exe vs idWMSrWvoE.exe
Source: idWMSrWvoE.exe, 00000001.00000002.213148327.00000000031F0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs idWMSrWvoE.exe
Source: idWMSrWvoE.exe, 00000001.00000002.213340202.00000000032F0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs idWMSrWvoE.exe
Source: idWMSrWvoE.exe, 00000001.00000002.213340202.00000000032F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs idWMSrWvoE.exe
Source: idWMSrWvoE.exe Binary or memory string: OriginalFilenameBCoder.exe vs idWMSrWvoE.exe
Source: idWMSrWvoE.exe, 00000001.00000000.208986325.0000000000452000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBCoder.exe vs idWMSrWvoE.exe
Source: idWMSrWvoE.exe, 00000001.00000002.213148327.00000000031F0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs idWMSrWvoE.exe
Source: idWMSrWvoE.exe, 00000001.00000002.213340202.00000000032F0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs idWMSrWvoE.exe
Source: idWMSrWvoE.exe, 00000001.00000002.213340202.00000000032F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs idWMSrWvoE.exe
Source: idWMSrWvoE.exe Binary or memory string: OriginalFilenameBCoder.exe vs idWMSrWvoE.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: idWMSrWvoE.exe Binary or memory string: XML Files|*.xml|Text Files|*.txt|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|Html Files|*.html;*.htm|Java Source|*.java|Pascal Files|*.pas|Basic Files|*.bas;*.frm;*.vbp|All Files|*.*
Source: idWMSrWvoE.exe Binary or memory string: All Files|*.*|All Supported Files|*txt;*.htm;*.html;*.java;*.js;*.c;*.cpp;*.h;*.xml;*.pas;*.bas;*.frm;*.vbp|Text Files|*.txt|Java Source|*.java|Html Files|*.html;*.htm|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|XML Files|*.xml|Pascal Files|*.pas|Basic Files|*.bas;*.frm;*.vbpSelLengthPrintContents
Source: idWMSrWvoE.exe Binary or memory string: Pascal Files|*.pas|Text Files|*.txt|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|Basic Files|*.bas;*.frm;*.vbp|Html Files|*.html;*.htm|XML Files|*.xml|Java Source|*.java|All Files|*.*
Source: idWMSrWvoE.exe Binary or memory string: Html Files|*.html;*.htm|Text Files|*.txt|Java Source|*.java|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|XML Files|*.xml|Pascal Files|*.pas|Basic Files|*.bas;*.frm;*.vbp|All Files|*.*
Source: idWMSrWvoE.exe Binary or memory string: ascal Files|*.pas|Text Files|*.txt|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|Basic Files|*.bas;*.frm;*.vbp|Html Files|*.htm
Source: idWMSrWvoE.exe Binary or memory string: D*\AC:\Users\911\Desktop\bcoder\BCoder.vbp
Source: idWMSrWvoE.exe Binary or memory string: Files|*.pas|Basic Files|*.bas;*.frm;*.vbp|All Files|*.*
Source: idWMSrWvoE.exe Binary or memory string: All Files|*.*|All Supported Files|*txt;*.htm;*.html;*.java;*.js;*.c;*.cpp;*.h;*.xml;*.pas;*.bas;*.frm;*.vbp|Text Files|*.txt|Java
Source: idWMSrWvoE.exe Binary or memory string: s|*.bas;*.frm;*.vbp
Source: idWMSrWvoE.exe Binary or memory string: Basic Files|*.bas;*.frm;*.vbp|Text Files|*.txt|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|Html Files|*.html;*.htm|XML Files|
Source: idWMSrWvoE.exe Binary or memory string: Pascal Files|*.pas|Text Files|*.txt|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|Basic Files|*.bas;*.frm;*.vbp|Html Files|*.ht
Source: idWMSrWvoE.exe Binary or memory string: Basic Files|*.bas;*.frm;*.vbp|Text Files|*.txt|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|Html Files|*.html;*.htm|XML Files|*.xml|Java Source|*.java|Pascal Files|*.pas|All Files|*.*
Source: idWMSrWvoE.exe, 00000001.00000002.211921078.000000000044D000.00000004.00020000.sdmp, Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.473181050.000000000044D000.00000004.00020000.sdmp Binary or memory string: @*\AC:\Users\911\Desktop\bcoder\BCoder.vbp
Source: idWMSrWvoE.exe Binary or memory string: C/C++ Files|*.c;*.cpp;*.h|Text Files|*.txt|Java Source|*.java|Java Script Files|*.js|Html Files|*.html;*.htm|XML Files|*.xml|Pascal Files|*.pas|Basic Files|*.bas;*.frm;*.vbp|All Files|*.*
Source: idWMSrWvoE.exe Binary or memory string: Java Source|*.java|Text Files|*.txt|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|Html Files|*.html;*.htm|XML Files|*.xml|Pascal Files|*.pas|Basic Files|*.bas;*.frm;*.vbp|All Files|*.*
Source: idWMSrWvoE.exe Binary or memory string: XML Files|*.xml|Text Files|*.txt|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|Html Files|*.html;*.htm|Java Source|*.java|Pascal Files|*.pas|Basic Files|*.bas;*.frm;*.vbp|All Files|*.*
Source: idWMSrWvoE.exe Binary or memory string: All Files|*.*|All Supported Files|*txt;*.htm;*.html;*.java;*.js;*.c;*.cpp;*.h;*.xml;*.pas;*.bas;*.frm;*.vbp|Text Files|*.txt|Java Source|*.java|Html Files|*.html;*.htm|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|XML Files|*.xml|Pascal Files|*.pas|Basic Files|*.bas;*.frm;*.vbpSelLengthPrintContents
Source: idWMSrWvoE.exe Binary or memory string: Pascal Files|*.pas|Text Files|*.txt|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|Basic Files|*.bas;*.frm;*.vbp|Html Files|*.html;*.htm|XML Files|*.xml|Java Source|*.java|All Files|*.*
Source: idWMSrWvoE.exe Binary or memory string: Html Files|*.html;*.htm|Text Files|*.txt|Java Source|*.java|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|XML Files|*.xml|Pascal Files|*.pas|Basic Files|*.bas;*.frm;*.vbp|All Files|*.*
Source: idWMSrWvoE.exe Binary or memory string: ascal Files|*.pas|Text Files|*.txt|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|Basic Files|*.bas;*.frm;*.vbp|Html Files|*.htm
Source: idWMSrWvoE.exe Binary or memory string: D*\AC:\Users\911\Desktop\bcoder\BCoder.vbp
Source: idWMSrWvoE.exe Binary or memory string: Files|*.pas|Basic Files|*.bas;*.frm;*.vbp|All Files|*.*
Source: idWMSrWvoE.exe Binary or memory string: All Files|*.*|All Supported Files|*txt;*.htm;*.html;*.java;*.js;*.c;*.cpp;*.h;*.xml;*.pas;*.bas;*.frm;*.vbp|Text Files|*.txt|Java
Source: idWMSrWvoE.exe Binary or memory string: s|*.bas;*.frm;*.vbp
Source: idWMSrWvoE.exe Binary or memory string: Basic Files|*.bas;*.frm;*.vbp|Text Files|*.txt|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|Html Files|*.html;*.htm|XML Files|
Source: idWMSrWvoE.exe Binary or memory string: Pascal Files|*.pas|Text Files|*.txt|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|Basic Files|*.bas;*.frm;*.vbp|Html Files|*.ht
Source: idWMSrWvoE.exe Binary or memory string: Basic Files|*.bas;*.frm;*.vbp|Text Files|*.txt|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|Html Files|*.html;*.htm|XML Files|*.xml|Java Source|*.java|Pascal Files|*.pas|All Files|*.*
Source: idWMSrWvoE.exe, 00000001.00000002.211921078.000000000044D000.00000004.00020000.sdmp, Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.473181050.000000000044D000.00000004.00020000.sdmp Binary or memory string: @*\AC:\Users\911\Desktop\bcoder\BCoder.vbp
Source: idWMSrWvoE.exe Binary or memory string: C/C++ Files|*.c;*.cpp;*.h|Text Files|*.txt|Java Source|*.java|Java Script Files|*.js|Html Files|*.html;*.htm|XML Files|*.xml|Pascal Files|*.pas|Basic Files|*.bas;*.frm;*.vbp|All Files|*.*
Source: idWMSrWvoE.exe Binary or memory string: Java Source|*.java|Text Files|*.txt|Java Script Files|*.js|C/C++ Files|*.c;*.cpp;*.h|Html Files|*.html;*.htm|XML Files|*.xml|Pascal Files|*.pas|Basic Files|*.bas;*.frm;*.vbp|All Files|*.*
Source: classification engine Classification label: mal88.troj.evad.winEXE@18/8@0/7
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle, 1_2_02BF8CA0
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle, 1_2_02BF8CA0
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B4FD0 Process32NextW,Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification, 2_2_022B4FD0
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B4FD0 Process32NextW,Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification, 2_2_022B4FD0
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF5390 ChangeServiceConfig2W,OpenServiceW,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree, 1_2_02BF5390
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF5390 ChangeServiceConfig2W,OpenServiceW,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree, 1_2_02BF5390
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6696:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6696:120:WilError_01
Source: idWMSrWvoE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: idWMSrWvoE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: idWMSrWvoE.exe Virustotal: Detection: 62%
Source: idWMSrWvoE.exe Metadefender: Detection: 45%
Source: idWMSrWvoE.exe ReversingLabs: Detection: 62%
Source: idWMSrWvoE.exe Virustotal: Detection: 62%
Source: idWMSrWvoE.exe Metadefender: Detection: 45%
Source: idWMSrWvoE.exe ReversingLabs: Detection: 62%
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Users\user\Desktop\idWMSrWvoE.exe 'C:\Users\user\Desktop\idWMSrWvoE.exe'
Source: unknown Process created: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process created: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Users\user\Desktop\idWMSrWvoE.exe 'C:\Users\user\Desktop\idWMSrWvoE.exe'
Source: unknown Process created: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process created: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: idWMSrWvoE.exe Static PE information: real checksum: 0x58a28 should be: 0x70548
Source: idWMSrWvoE.exe Static PE information: real checksum: 0x58a28 should be: 0x70548
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_00401DE8 push cs; retf 1_2_00401DE9
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF62A0 push ecx; mov dword ptr [esp], 0000BFAAh 1_2_02BF62A1
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF62D0 push ecx; mov dword ptr [esp], 00001969h 1_2_02BF62D1
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF6220 push ecx; mov dword ptr [esp], 00004B50h 1_2_02BF6221
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF6240 push ecx; mov dword ptr [esp], 00008F23h 1_2_02BF6241
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF6320 push ecx; mov dword ptr [esp], 00009128h 1_2_02BF6321
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF6090 push ecx; mov dword ptr [esp], 0000BAD9h 1_2_02BF6091
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF60F0 push ecx; mov dword ptr [esp], 0000A172h 1_2_02BF60F1
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF61B0 push ecx; mov dword ptr [esp], 000003A6h 1_2_02BF61B1
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF6180 push ecx; mov dword ptr [esp], 0000D106h 1_2_02BF6181
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF61D0 push ecx; mov dword ptr [esp], 00004B56h 1_2_02BF61D1
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF6140 push ecx; mov dword ptr [esp], 00004AF2h 1_2_02BF6141
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F2433 push edx; ret 1_2_021F2461
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F0218 push edx; ret 1_2_021F0241
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F6214 push edx; ret 1_2_021F6241
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F4A13 push edx; ret 1_2_021F4A41
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F3213 push edx; ret 1_2_021F3241
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F1A13 push edx; ret 1_2_021F1A41
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F4205 push edx; ret 1_2_021F4231
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F2A05 push edx; ret 1_2_021F2A31
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F1205 push edx; ret 1_2_021F1231
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F5A03 push edx; ret 1_2_021F5A31
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F4233 push edx; ret 1_2_021F4261
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F2A33 push edx; ret 1_2_021F2A61
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F1233 push edx; ret 1_2_021F1261
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F5A33 push edx; ret 1_2_021F5A61
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F5225 push edx; ret 1_2_021F5251
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F3A24 push edx; ret 1_2_021F3A51
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F2224 push edx; ret 1_2_021F2251
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F0A24 push edx; ret 1_2_021F0A51
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F6A24 push edx; ret 1_2_021F6A51
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_00401DE8 push cs; retf 1_2_00401DE9
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF62A0 push ecx; mov dword ptr [esp], 0000BFAAh 1_2_02BF62A1
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF62D0 push ecx; mov dword ptr [esp], 00001969h 1_2_02BF62D1
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF6220 push ecx; mov dword ptr [esp], 00004B50h 1_2_02BF6221
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF6240 push ecx; mov dword ptr [esp], 00008F23h 1_2_02BF6241
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF6320 push ecx; mov dword ptr [esp], 00009128h 1_2_02BF6321
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF6090 push ecx; mov dword ptr [esp], 0000BAD9h 1_2_02BF6091
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF60F0 push ecx; mov dword ptr [esp], 0000A172h 1_2_02BF60F1
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF61B0 push ecx; mov dword ptr [esp], 000003A6h 1_2_02BF61B1
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF6180 push ecx; mov dword ptr [esp], 0000D106h 1_2_02BF6181
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF61D0 push ecx; mov dword ptr [esp], 00004B56h 1_2_02BF61D1
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF6140 push ecx; mov dword ptr [esp], 00004AF2h 1_2_02BF6141
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F2433 push edx; ret 1_2_021F2461
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F0218 push edx; ret 1_2_021F0241
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F6214 push edx; ret 1_2_021F6241
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F4A13 push edx; ret 1_2_021F4A41
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F3213 push edx; ret 1_2_021F3241
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F1A13 push edx; ret 1_2_021F1A41
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F4205 push edx; ret 1_2_021F4231
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F2A05 push edx; ret 1_2_021F2A31
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F1205 push edx; ret 1_2_021F1231
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F5A03 push edx; ret 1_2_021F5A31
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F4233 push edx; ret 1_2_021F4261
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F2A33 push edx; ret 1_2_021F2A61
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F1233 push edx; ret 1_2_021F1261
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F5A33 push edx; ret 1_2_021F5A61
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F5225 push edx; ret 1_2_021F5251
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F3A24 push edx; ret 1_2_021F3A51
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F2224 push edx; ret 1_2_021F2251
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F0A24 push edx; ret 1_2_021F0A51
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_021F6A24 push edx; ret 1_2_021F6A51

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Executable created and started: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Executable created and started: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\idWMSrWvoE.exe PE file moved: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe PE file moved: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\idWMSrWvoE.exe File opened: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe File opened: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\idWMSrWvoE.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: ChangeServiceConfig2W,OpenServiceW,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree, 1_2_02BF5390
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: ChangeServiceConfig2W,OpenServiceW,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree, 1_2_02BF5390
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6000 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6704 Thread sleep time: -270000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6000 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6704 Thread sleep time: -270000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\idWMSrWvoE.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 1_2_02BF3A20
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 1_2_02BF3A20
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 2_2_022B3A20
Source: svchost.exe, 00000000.00000002.218756362.0000026CE6540000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.277927660.000002EAF8C60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.291828712.000001F50F2A0000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.474381560.000002D8B22B0000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.334150695.0000021A88A00000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000003.00000002.478562538.0000017671261000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.478511815.0000017671254000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.333009653.0000021A87AEF000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.473394181.000001EEB6402000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000000.00000002.218756362.0000026CE6540000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.277927660.000002EAF8C60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.291828712.000001F50F2A0000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.474381560.000002D8B22B0000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.334150695.0000021A88A00000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000000.00000002.218756362.0000026CE6540000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.277927660.000002EAF8C60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.291828712.000001F50F2A0000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.474381560.000002D8B22B0000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.334150695.0000021A88A00000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000010.00000002.332948405.0000021A87AA7000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@
Source: svchost.exe, 00000007.00000002.473523436.000001EEB6440000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.473890568.000002D8B1C6A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.473320347.000002D4D3429000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000000.00000002.218756362.0000026CE6540000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.277927660.000002EAF8C60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.291828712.000001F50F2A0000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.474381560.000002D8B22B0000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.334150695.0000021A88A00000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000000.00000002.218756362.0000026CE6540000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.277927660.000002EAF8C60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.291828712.000001F50F2A0000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.474381560.000002D8B22B0000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.334150695.0000021A88A00000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000003.00000002.478562538.0000017671261000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.478608765.0000000002E8B000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.478511815.0000017671254000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.333009653.0000021A87AEF000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.473394181.000001EEB6402000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000000.00000002.218756362.0000026CE6540000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.277927660.000002EAF8C60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.291828712.000001F50F2A0000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.474381560.000002D8B22B0000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.334150695.0000021A88A00000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000000.00000002.218756362.0000026CE6540000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.277927660.000002EAF8C60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.291828712.000001F50F2A0000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.474381560.000002D8B22B0000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.334150695.0000021A88A00000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000010.00000002.332948405.0000021A87AA7000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@
Source: svchost.exe, 00000007.00000002.473523436.000001EEB6440000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.473890568.000002D8B1C6A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.473320347.000002D4D3429000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000000.00000002.218756362.0000026CE6540000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.277927660.000002EAF8C60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.291828712.000001F50F2A0000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.474381560.000002D8B22B0000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.334150695.0000021A88A00000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF4190 mov eax, dword ptr fs:[00000030h] 1_2_02BF4190
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF5140 mov eax, dword ptr fs:[00000030h] 1_2_02BF5140
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF4190 mov eax, dword ptr fs:[00000030h] 1_2_02BF4190
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BF5140 mov eax, dword ptr fs:[00000030h] 1_2_02BF5140
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B5140 mov eax, dword ptr fs:[00000030h] 2_2_022B5140
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B4190 mov eax, dword ptr fs:[00000030h] 2_2_022B4190
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BE01F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory, 1_2_02BE01F0
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Code function: 1_2_02BE01F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory, 1_2_02BE01F0
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.474332627.0000000000DB0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.474311625.000001976FB90000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.474332627.0000000000DB0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.474311625.000001976FB90000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.474332627.0000000000DB0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.474311625.000001976FB90000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.474332627.0000000000DB0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.474311625.000001976FB90000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.474332627.0000000000DB0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.474311625.000001976FB90000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.474332627.0000000000DB0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.474311625.000001976FB90000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.474332627.0000000000DB0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.474311625.000001976FB90000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Windows.Networking.Sockets.PushEnabledApplication.exe, 00000002.00000002.474332627.0000000000DB0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.474311625.000001976FB90000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\idWMSrWvoE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B5720 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 2_2_022B5720
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Code function: 2_2_022B5720 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 2_2_022B5720
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\mfc120esn\Windows.Networking.Sockets.PushEnabledApplication.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000D.00000002.473478511.000001E15A102000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000D.00000002.473407343.000001E15A03D000.00000004.00000001.sdmp Binary or memory string: $@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000D.00000002.473478511.000001E15A102000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000D.00000002.473407343.000001E15A03D000.00000004.00000001.sdmp Binary or memory string: $@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000002.00000002.473344049.00000000004AE000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.212747203.0000000002BF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.212084760.0000000000631000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.474635220.00000000022B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.211614654.0000000000631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.idWMSrWvoE.exe.2bf0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows.Networking.Sockets.PushEnabledApplication.exe.22b0000.1.unpack, type: UNPACKEDPE