Analysis Report 017088f2dc57fbcba5bc1a1e4eb70a6e

Overview

General Information

Sample Name: 017088f2dc57fbcba5bc1a1e4eb70a6e (renamed file extension from none to exe)
Analysis ID: 318767
MD5: 71d8c3b29cc7f125e735023717ded1cb
SHA1: 4137c2fe0e64e575579f1231510f8731cb47aab1
SHA256: 10629343c29e459c9990854a634e5bb6ce9563f6c31ffc8b24b178495ca9b000

Most interesting Screenshot:

Detection

Emotet
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.649652893.0000000000450000.00000040.00000001.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["70.116.143.84:80", "51.75.33.127:80", "37.157.196.117:7080", "116.202.23.3:8080", "187.162.248.237:80", "204.225.249.100:7080", "67.247.242.247:80", "192.241.146.84:8080", "178.250.54.208:8080", "188.135.15.49:80", "77.238.212.227:80", "152.169.22.67:80", "186.103.141.250:443", "82.76.111.249:443", "213.197.182.158:8080", "201.213.177.139:80", "74.136.144.133:80", "72.47.248.48:7080", "51.38.124.206:80", "190.24.243.186:80", "174.113.69.136:80", "192.81.38.31:80", "68.69.155.181:80", "45.16.226.117:443", "111.67.12.221:8080", "83.169.21.32:7080", "82.230.1.24:80", "51.255.165.160:8080", "70.32.115.157:8080", "61.92.159.208:8080", "191.182.6.118:80", "77.90.136.129:8080", "181.129.96.162:8080", "45.46.37.97:80", "68.183.170.114:8080", "190.117.79.209:80", "192.241.143.52:8080", "65.36.62.20:80", "185.94.252.27:443", "96.245.123.149:80", "185.215.227.107:443", "70.32.84.74:8080", "190.2.31.172:80", "104.131.41.185:8080", "189.2.177.210:443", "190.163.31.26:80", "92.24.50.153:80", "185.183.16.47:80", "119.106.216.84:80", "60.108.144.104:443", "104.131.103.37:8080", "80.11.164.185:80", "212.71.237.140:8080", "185.94.252.12:80", "1.226.84.243:8080", "177.74.228.34:80", "111.67.77.202:8080", "199.203.62.165:80", "5.196.35.138:7080", "217.199.160.224:7080", "91.105.94.200:80", "190.115.18.139:8080", "220.109.145.69:80", "138.97.60.141:7080", "60.93.23.51:80", "74.58.215.226:80", "78.249.119.122:80", "5.189.178.202:8080", "219.92.13.25:80", "38.88.126.202:8080", "96.227.52.8:443", "64.201.88.132:80", "181.30.61.163:443", "95.9.180.128:80", "177.73.0.98:443", "202.4.58.197:80", "209.236.123.42:8080", "61.197.92.216:80", "170.81.48.2:80", "51.159.23.217:443", "123.51.47.18:80", "12.162.84.2:8080", "54.37.42.48:8080", "185.232.182.218:80", "87.106.46.107:8080", "217.13.106.14:8080", "137.74.106.111:7080", "68.183.190.199:8080", "51.15.7.189:80", "77.106.157.34:8080", "172.104.169.32:8080", "190.190.148.27:8080", "76.168.54.203:80", "2.36.95.106:80", "185.178.10.77:80", "50.28.51.143:8080", "35.143.99.174:80", "50.121.220.50:80", "45.33.77.42:8080", "98.13.75.196:80", "94.176.234.118:443", "155.186.0.121:80", "216.47.196.104:80", "70.116.143.84:80", "51.75.33.127:80", "37.157.196.117:7080", "116.202.23.3:8080", "187.162.248.237:80", "204.225.249.100:7080", "67.247.242.247:80", "192.241.146.84:8080", "178.250.54.208:8080", "188.135.15.49:80", "77.238.212.227:80", "152.169.22.67:80", "186.103.141.250:443", "82.76.111.249:443", "213.197.182.158:8080", "201.213.177.139:80", "74.136.144.133:80", "72.47.248.48:7080", "51.38.124.206:80", "190.24.243.186:80", "174.113.69.136:80", "192.81.38.31:80", "68.69.155.181:80", "45.16.226.117:443", "111.67.12.221:8080", "83.169.21.32:7080", "82.230.1.24:80", "51.255.165.160:8080", "70.32.115.157:8080", "61.92.159.208:8080", "191.182.6.118:80", "77.90.136.129:8080", "181.129.96.162:8080", "45.46.37.97:80", "68.183.170.114:8080", "190.117.79.209:80", "192.241.143.52:8080", "65.36.62.20:80", "185.94.252.27:4
Source: 00000000.00000002.649652893.0000000000450000.00000040.00000001.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["70.116.143.84:80", "51.75.33.127:80", "37.157.196.117:7080", "116.202.23.3:8080", "187.162.248.237:80", "204.225.249.100:7080", "67.247.242.247:80", "192.241.146.84:8080", "178.250.54.208:8080", "188.135.15.49:80", "77.238.212.227:80", "152.169.22.67:80", "186.103.141.250:443", "82.76.111.249:443", "213.197.182.158:8080", "201.213.177.139:80", "74.136.144.133:80", "72.47.248.48:7080", "51.38.124.206:80", "190.24.243.186:80", "174.113.69.136:80", "192.81.38.31:80", "68.69.155.181:80", "45.16.226.117:443", "111.67.12.221:8080", "83.169.21.32:7080", "82.230.1.24:80", "51.255.165.160:8080", "70.32.115.157:8080", "61.92.159.208:8080", "191.182.6.118:80", "77.90.136.129:8080", "181.129.96.162:8080", "45.46.37.97:80", "68.183.170.114:8080", "190.117.79.209:80", "192.241.143.52:8080", "65.36.62.20:80", "185.94.252.27:443", "96.245.123.149:80", "185.215.227.107:443", "70.32.84.74:8080", "190.2.31.172:80", "104.131.41.185:8080", "189.2.177.210:443", "190.163.31.26:80", "92.24.50.153:80", "185.183.16.47:80", "119.106.216.84:80", "60.108.144.104:443", "104.131.103.37:8080", "80.11.164.185:80", "212.71.237.140:8080", "185.94.252.12:80", "1.226.84.243:8080", "177.74.228.34:80", "111.67.77.202:8080", "199.203.62.165:80", "5.196.35.138:7080", "217.199.160.224:7080", "91.105.94.200:80", "190.115.18.139:8080", "220.109.145.69:80", "138.97.60.141:7080", "60.93.23.51:80", "74.58.215.226:80", "78.249.119.122:80", "5.189.178.202:8080", "219.92.13.25:80", "38.88.126.202:8080", "96.227.52.8:443", "64.201.88.132:80", "181.30.61.163:443", "95.9.180.128:80", "177.73.0.98:443", "202.4.58.197:80", "209.236.123.42:8080", "61.197.92.216:80", "170.81.48.2:80", "51.159.23.217:443", "123.51.47.18:80", "12.162.84.2:8080", "54.37.42.48:8080", "185.232.182.218:80", "87.106.46.107:8080", "217.13.106.14:8080", "137.74.106.111:7080", "68.183.190.199:8080", "51.15.7.189:80", "77.106.157.34:8080", "172.104.169.32:8080", "190.190.148.27:8080", "76.168.54.203:80", "2.36.95.106:80", "185.178.10.77:80", "50.28.51.143:8080", "35.143.99.174:80", "50.121.220.50:80", "45.33.77.42:8080", "98.13.75.196:80", "94.176.234.118:443", "155.186.0.121:80", "216.47.196.104:80", "70.116.143.84:80", "51.75.33.127:80", "37.157.196.117:7080", "116.202.23.3:8080", "187.162.248.237:80", "204.225.249.100:7080", "67.247.242.247:80", "192.241.146.84:8080", "178.250.54.208:8080", "188.135.15.49:80", "77.238.212.227:80", "152.169.22.67:80", "186.103.141.250:443", "82.76.111.249:443", "213.197.182.158:8080", "201.213.177.139:80", "74.136.144.133:80", "72.47.248.48:7080", "51.38.124.206:80", "190.24.243.186:80", "174.113.69.136:80", "192.81.38.31:80", "68.69.155.181:80", "45.16.226.117:443", "111.67.12.221:8080", "83.169.21.32:7080", "82.230.1.24:80", "51.255.165.160:8080", "70.32.115.157:8080", "61.92.159.208:8080", "191.182.6.118:80", "77.90.136.129:8080", "181.129.96.162:8080", "45.46.37.97:80", "68.183.170.114:8080", "190.117.79.209:80", "192.241.143.52:8080", "65.36.62.20:80", "185.94.252.27:4
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02083A00 _snwprintf,FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 0_2_02083A00
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02083A00 _snwprintf,FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 0_2_02083A00

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49741 -> 70.116.143.84:80
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49756 -> 51.75.33.127:80
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49759 -> 37.157.196.117:7080
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.4:49764 -> 116.202.23.3:8080
Source: Traffic Snort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.4:49765 -> 187.162.248.237:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49741 -> 70.116.143.84:80
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49756 -> 51.75.33.127:80
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49759 -> 37.157.196.117:7080
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.4:49764 -> 116.202.23.3:8080
Source: Traffic Snort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.4:49765 -> 187.162.248.237:80
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49759 -> 37.157.196.117:7080
Source: global traffic TCP traffic: 192.168.2.4:49764 -> 116.202.23.3:8080
Source: global traffic TCP traffic: 192.168.2.4:49768 -> 204.225.249.100:7080
Source: global traffic TCP traffic: 192.168.2.4:49759 -> 37.157.196.117:7080
Source: global traffic TCP traffic: 192.168.2.4:49764 -> 116.202.23.3:8080
Source: global traffic TCP traffic: 192.168.2.4:49768 -> 204.225.249.100:7080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 204.225.249.100 204.225.249.100
Source: Joe Sandbox View IP Address: 204.225.249.100 204.225.249.100
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View ASN Name: TWC-11427-TEXASUS TWC-11427-TEXASUS
Source: Joe Sandbox View ASN Name: FIBRENOIRE-INTERNETCA FIBRENOIRE-INTERNETCA
Source: unknown TCP traffic detected without corresponding DNS query: 70.116.143.84
Source: unknown TCP traffic detected without corresponding DNS query: 70.116.143.84
Source: unknown TCP traffic detected without corresponding DNS query: 70.116.143.84
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.33.127
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.33.127
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.33.127
Source: unknown TCP traffic detected without corresponding DNS query: 37.157.196.117
Source: unknown TCP traffic detected without corresponding DNS query: 37.157.196.117
Source: unknown TCP traffic detected without corresponding DNS query: 37.157.196.117
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.23.3
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.23.3
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.23.3
Source: unknown TCP traffic detected without corresponding DNS query: 187.162.248.237
Source: unknown TCP traffic detected without corresponding DNS query: 187.162.248.237
Source: unknown TCP traffic detected without corresponding DNS query: 187.162.248.237
Source: unknown TCP traffic detected without corresponding DNS query: 204.225.249.100
Source: unknown TCP traffic detected without corresponding DNS query: 204.225.249.100
Source: unknown TCP traffic detected without corresponding DNS query: 204.225.249.100
Source: unknown TCP traffic detected without corresponding DNS query: 67.247.242.247
Source: unknown TCP traffic detected without corresponding DNS query: 67.247.242.247
Source: unknown TCP traffic detected without corresponding DNS query: 67.247.242.247
Source: unknown TCP traffic detected without corresponding DNS query: 70.116.143.84
Source: unknown TCP traffic detected without corresponding DNS query: 70.116.143.84
Source: unknown TCP traffic detected without corresponding DNS query: 70.116.143.84
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.33.127
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.33.127
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.33.127
Source: unknown TCP traffic detected without corresponding DNS query: 37.157.196.117
Source: unknown TCP traffic detected without corresponding DNS query: 37.157.196.117
Source: unknown TCP traffic detected without corresponding DNS query: 37.157.196.117
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.23.3
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.23.3
Source: unknown TCP traffic detected without corresponding DNS query: 116.202.23.3
Source: unknown TCP traffic detected without corresponding DNS query: 187.162.248.237
Source: unknown TCP traffic detected without corresponding DNS query: 187.162.248.237
Source: unknown TCP traffic detected without corresponding DNS query: 187.162.248.237
Source: unknown TCP traffic detected without corresponding DNS query: 204.225.249.100
Source: unknown TCP traffic detected without corresponding DNS query: 204.225.249.100
Source: unknown TCP traffic detected without corresponding DNS query: 204.225.249.100
Source: unknown TCP traffic detected without corresponding DNS query: 67.247.242.247
Source: unknown TCP traffic detected without corresponding DNS query: 67.247.242.247
Source: unknown TCP traffic detected without corresponding DNS query: 67.247.242.247
Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.741023232.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.741023232.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.741023232.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.741023232.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://116.202.23.3:8080/r5KB/0fQxMGG/Oupq9wOs13sfWiBD/gc5Vty/vE4jSTsXgNE/
Source: iasads.exe, 00000001.00000002.916557279.0000000002796000.00000004.00000001.sdmp String found in binary or memory: http://116.202.23.3:8080/r5KB/0fQxMGG/Oupq9wOs13sfWiBD/gc5Vty/vE4jSTsXgNE/u
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/=
Source: iasads.exe, 00000001.00000002.916557279.0000000002796000.00000004.00000001.sdmp String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/E/6lK/8Dak6W77/Y
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/M
Source: iasads.exe, 00000001.00000002.916602786.00000000029B0000.00000004.00000001.sdmp String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/OF
Source: iasads.exe, 00000001.00000002.916602786.00000000029B0000.00000004.00000001.sdmp String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/sfWiBD/gc5Vty/vE4jSTsXgNE//WJ
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/xF
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://37.157.196.117:7080/4bCOBIUt7s6cU6Jvgi/JXp5up/UcWzB5cPiQ7/
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://37.157.196.117:7080/4bCOBIUt7s6cU6Jvgi/JXp5up/UcWzB5cPiQ7/W77/
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://37.157.196.117:7080/4bCOBIUt7s6cU6Jvgi/JXp5up/UcWzB5cPiQ7/l
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://51.75.33.127/8sSmjBYNtGcEZxZ/eYwGzHgfgD2/k3qhHh1Z66lK/8Dak6W77/
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://51.75.33.127/8sSmjBYNtGcEZxZ/eYwGzHgfgD2/k3qhHh1Z66lK/8Dak6W77/&
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw//W
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/RF
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/TW6
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/uF-
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740220945.0000021B9F158000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://116.202.23.3:8080/r5KB/0fQxMGG/Oupq9wOs13sfWiBD/gc5Vty/vE4jSTsXgNE/
Source: iasads.exe, 00000001.00000002.916557279.0000000002796000.00000004.00000001.sdmp String found in binary or memory: http://116.202.23.3:8080/r5KB/0fQxMGG/Oupq9wOs13sfWiBD/gc5Vty/vE4jSTsXgNE/u
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/=
Source: iasads.exe, 00000001.00000002.916557279.0000000002796000.00000004.00000001.sdmp String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/E/6lK/8Dak6W77/Y
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/M
Source: iasads.exe, 00000001.00000002.916602786.00000000029B0000.00000004.00000001.sdmp String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/OF
Source: iasads.exe, 00000001.00000002.916602786.00000000029B0000.00000004.00000001.sdmp String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/sfWiBD/gc5Vty/vE4jSTsXgNE//WJ
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/xF
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://37.157.196.117:7080/4bCOBIUt7s6cU6Jvgi/JXp5up/UcWzB5cPiQ7/
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://37.157.196.117:7080/4bCOBIUt7s6cU6Jvgi/JXp5up/UcWzB5cPiQ7/W77/
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://37.157.196.117:7080/4bCOBIUt7s6cU6Jvgi/JXp5up/UcWzB5cPiQ7/l
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://51.75.33.127/8sSmjBYNtGcEZxZ/eYwGzHgfgD2/k3qhHh1Z66lK/8Dak6W77/
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://51.75.33.127/8sSmjBYNtGcEZxZ/eYwGzHgfgD2/k3qhHh1Z66lK/8Dak6W77/&
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw//W
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/RF
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/TW6
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/uF-
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740220945.0000021B9F158000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000000.00000002.649652893.0000000000450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.915855087.00000000005C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.650061400.0000000002081000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.915728577.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.915895219.00000000005E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.649752129.00000000004B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.iasads.exe.5e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.017088f2dc57fbcba5bc1a1e4eb70a6e.exe.2080000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe File created: C:\Windows\SysWOW64\irclass\ Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe File created: C:\Windows\SysWOW64\irclass\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe File deleted: C:\Windows\SysWOW64\irclass\iasads.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe File deleted: C:\Windows\SysWOW64\irclass\iasads.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040A843 0_2_0040A843
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040442C 0_2_0040442C
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040B0EA 0_2_0040B0EA
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040B4F6 0_2_0040B4F6
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040AD16 0_2_0040AD16
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040B916 0_2_0040B916
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00404A50 0_2_00404A50
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02088410 0_2_02088410
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02083E20 0_2_02083E20
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02086660 0_2_02086660
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02087820 0_2_02087820
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02084070 0_2_02084070
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02083C70 0_2_02083C70
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02081C90 0_2_02081C90
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02084097 0_2_02084097
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00455C0E 0_2_00455C0E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0045580E 0_2_0045580E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0045382E 0_2_0045382E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00455C35 0_2_00455C35
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_004581FE 0_2_004581FE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_004559BE 0_2_004559BE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00459FAE 0_2_00459FAE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_004593BE 0_2_004593BE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040A843 0_2_0040A843
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040442C 0_2_0040442C
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040B0EA 0_2_0040B0EA
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040B4F6 0_2_0040B4F6
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040AD16 0_2_0040AD16
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040B916 0_2_0040B916
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00404A50 0_2_00404A50
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02088410 0_2_02088410
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02083E20 0_2_02083E20
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02086660 0_2_02086660
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02087820 0_2_02087820
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02084070 0_2_02084070
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02083C70 0_2_02083C70
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02081C90 0_2_02081C90
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02084097 0_2_02084097
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00455C0E 0_2_00455C0E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0045580E 0_2_0045580E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0045382E 0_2_0045382E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00455C35 0_2_00455C35
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_004581FE 0_2_004581FE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_004559BE 0_2_004559BE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00459FAE 0_2_00459FAE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_004593BE 0_2_004593BE
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_0040A843 1_2_0040A843
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_0040442C 1_2_0040442C
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_0040B0EA 1_2_0040B0EA
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_0040B4F6 1_2_0040B4F6
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_0040AD16 1_2_0040AD16
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_0040B916 1_2_0040B916
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_00404A50 1_2_00404A50
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D5C0E 1_2_004D5C0E
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D580E 1_2_004D580E
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D382E 1_2_004D382E
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D5C35 1_2_004D5C35
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D81FE 1_2_004D81FE
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D59BE 1_2_004D59BE
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D9FAE 1_2_004D9FAE
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D93BE 1_2_004D93BE
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: String function: 004049F0 appears 48 times
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: String function: 004049F0 appears 48 times
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: String function: 004049F0 appears 48 times
PE file contains strange resources
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe, 00000000.00000002.650872949.0000000002A10000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe, 00000000.00000002.650872949.0000000002A10000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe, 00000000.00000002.650711663.0000000002910000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe, 00000000.00000002.650872949.0000000002A10000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe, 00000000.00000002.650872949.0000000002A10000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe, 00000000.00000002.650711663.0000000002910000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source: classification engine Classification label: mal72.troj.evad.winEXE@6/0@0/8
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: CreateServiceW,_snwprintf,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle, 0_2_02088950
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: CreateServiceW,_snwprintf,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle, 0_2_02088950
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_020851F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,GetProcessHeap,HeapFree, 0_2_020851F0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_020851F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,GetProcessHeap,HeapFree, 0_2_020851F0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Command line argument: kernel32.dll 0_2_004017D0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Command line argument: lhxXfY9mIrDZ 0_2_004017D0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Command line argument: kernel32.dll 0_2_004017D0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Command line argument: lhxXfY9mIrDZ 0_2_004017D0
Source: C:\Windows\SysWOW64\irclass\iasads.exe Command line argument: kernel32.dll 1_2_004017D0
Source: C:\Windows\SysWOW64\irclass\iasads.exe Command line argument: lhxXfY9mIrDZ 1_2_004017D0
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe 'C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe'
Source: unknown Process created: C:\Windows\SysWOW64\irclass\iasads.exe C:\Windows\SysWOW64\irclass\iasads.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Process created: C:\Windows\SysWOW64\irclass\iasads.exe C:\Windows\SysWOW64\irclass\iasads.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe 'C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe'
Source: unknown Process created: C:\Windows\SysWOW64\irclass\iasads.exe C:\Windows\SysWOW64\irclass\iasads.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Process created: C:\Windows\SysWOW64\irclass\iasads.exe C:\Windows\SysWOW64\irclass\iasads.exe Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\users\dodo\downloads\systraydemosrc\systraydemo\release\SysTrayDemo.pdb source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source: Binary string: c:\users\dodo\downloads\systraydemosrc\systraydemo\release\SysTrayDemo.pdb source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source: Binary string: c:\users\dodo\downloads\systraydemosrc\systraydemo\release\SysTrayDemo.pdb source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source: Binary string: c:\users\dodo\downloads\systraydemosrc\systraydemo\release\SysTrayDemo.pdb source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_004016C0 LoadLibraryW,GetProcAddress, 0_2_004016C0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_004016C0 LoadLibraryW,GetProcAddress, 0_2_004016C0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040F4AF push ecx; ret 0_2_0040F4C2
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00404A35 push ecx; ret 0_2_00404A48
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02085EA0 push ecx; mov dword ptr [esp], 0000814Ch 0_2_02085EA1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02085EF0 push ecx; mov dword ptr [esp], 00003778h 0_2_02085EF1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02085F10 push ecx; mov dword ptr [esp], 0000F389h 0_2_02085F11
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02085F60 push ecx; mov dword ptr [esp], 00003EC8h 0_2_02085F61
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02085F90 push ecx; mov dword ptr [esp], 000035FCh 0_2_02085F91
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02085FB0 push ecx; mov dword ptr [esp], 0000DF00h 0_2_02085FB1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02085FD0 push ecx; mov dword ptr [esp], 00002377h 0_2_02085FD1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02086010 push ecx; mov dword ptr [esp], 0000F183h 0_2_02086011
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02086070 push ecx; mov dword ptr [esp], 0000AEACh 0_2_02086071
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_020860C0 push ecx; mov dword ptr [esp], 0000CA5Ch 0_2_020860C1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_020860F0 push ecx; mov dword ptr [esp], 000009D3h 0_2_020860F1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457C5E push ecx; mov dword ptr [esp], 0000CA5Ch 0_2_00457C5F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457C0E push ecx; mov dword ptr [esp], 0000AEACh 0_2_00457C0F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457C8E push ecx; mov dword ptr [esp], 000009D3h 0_2_00457C8F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457A3E push ecx; mov dword ptr [esp], 0000814Ch 0_2_00457A3F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457AFE push ecx; mov dword ptr [esp], 00003EC8h 0_2_00457AFF
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457A8E push ecx; mov dword ptr [esp], 00003778h 0_2_00457A8F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457AAE push ecx; mov dword ptr [esp], 0000F389h 0_2_00457AAF
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457B4E push ecx; mov dword ptr [esp], 0000DF00h 0_2_00457B4F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457B6E push ecx; mov dword ptr [esp], 00002377h 0_2_00457B6F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457B2E push ecx; mov dword ptr [esp], 000035FCh 0_2_00457B2F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457BAE push ecx; mov dword ptr [esp], 0000F183h 0_2_00457BAF
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040F4AF push ecx; ret 0_2_0040F4C2
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00404A35 push ecx; ret 0_2_00404A48
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02085EA0 push ecx; mov dword ptr [esp], 0000814Ch 0_2_02085EA1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02085EF0 push ecx; mov dword ptr [esp], 00003778h 0_2_02085EF1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02085F10 push ecx; mov dword ptr [esp], 0000F389h 0_2_02085F11
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02085F60 push ecx; mov dword ptr [esp], 00003EC8h 0_2_02085F61
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02085F90 push ecx; mov dword ptr [esp], 000035FCh 0_2_02085F91
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02085FB0 push ecx; mov dword ptr [esp], 0000DF00h 0_2_02085FB1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02085FD0 push ecx; mov dword ptr [esp], 00002377h 0_2_02085FD1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02086010 push ecx; mov dword ptr [esp], 0000F183h 0_2_02086011
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02086070 push ecx; mov dword ptr [esp], 0000AEACh 0_2_02086071
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_020860C0 push ecx; mov dword ptr [esp], 0000CA5Ch 0_2_020860C1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_020860F0 push ecx; mov dword ptr [esp], 000009D3h 0_2_020860F1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457C5E push ecx; mov dword ptr [esp], 0000CA5Ch 0_2_00457C5F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457C0E push ecx; mov dword ptr [esp], 0000AEACh 0_2_00457C0F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457C8E push ecx; mov dword ptr [esp], 000009D3h 0_2_00457C8F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457A3E push ecx; mov dword ptr [esp], 0000814Ch 0_2_00457A3F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457AFE push ecx; mov dword ptr [esp], 00003EC8h 0_2_00457AFF
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457A8E push ecx; mov dword ptr [esp], 00003778h 0_2_00457A8F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457AAE push ecx; mov dword ptr [esp], 0000F389h 0_2_00457AAF
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457B4E push ecx; mov dword ptr [esp], 0000DF00h 0_2_00457B4F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457B6E push ecx; mov dword ptr [esp], 00002377h 0_2_00457B6F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457B2E push ecx; mov dword ptr [esp], 000035FCh 0_2_00457B2F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00457BAE push ecx; mov dword ptr [esp], 0000F183h 0_2_00457BAF
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_0040F4AF push ecx; ret 1_2_0040F4C2
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_00404A35 push ecx; ret 1_2_00404A48
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D7C5E push ecx; mov dword ptr [esp], 0000CA5Ch 1_2_004D7C5F
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D7C0E push ecx; mov dword ptr [esp], 0000AEACh 1_2_004D7C0F
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D7C8E push ecx; mov dword ptr [esp], 000009D3h 1_2_004D7C8F
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D7A3E push ecx; mov dword ptr [esp], 0000814Ch 1_2_004D7A3F
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D7AFE push ecx; mov dword ptr [esp], 00003EC8h 1_2_004D7AFF

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Executable created and started: C:\Windows\SysWOW64\irclass\iasads.exe Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Executable created and started: C:\Windows\SysWOW64\irclass\iasads.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe PE file moved: C:\Windows\SysWOW64\irclass\iasads.exe Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe PE file moved: C:\Windows\SysWOW64\irclass\iasads.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe File opened: C:\Windows\SysWOW64\irclass\iasads.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe File opened: C:\Windows\SysWOW64\irclass\iasads.exe:Zone.Identifier read attributes | delete Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,GetProcessHeap,HeapFree, 0_2_020851F0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,GetProcessHeap,HeapFree, 0_2_020851F0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6808 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6808 Thread sleep time: -210000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02083A00 _snwprintf,FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 0_2_02083A00
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02083A00 _snwprintf,FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 0_2_02083A00
Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000006.00000002.752353632.0000021B9EA7D000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW0
Source: iasads.exe, 00000001.00000003.804173451.00000000029D3000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.752428191.0000021B9EAC7000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000006.00000002.752353632.0000021B9EA7D000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW0
Source: iasads.exe, 00000001.00000003.804173451.00000000029D3000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.752428191.0000021B9EAC7000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\irclass\iasads.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\irclass\iasads.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00402899 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00402899
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00402899 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00402899
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_004016C0 LoadLibraryW,GetProcAddress, 0_2_004016C0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_004016C0 LoadLibraryW,GetProcAddress, 0_2_004016C0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02084FA0 mov eax, dword ptr fs:[00000030h] 0_2_02084FA0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02084070 mov eax, dword ptr fs:[00000030h] 0_2_02084070
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00450456 mov eax, dword ptr fs:[00000030h] 0_2_00450456
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00455C0E mov eax, dword ptr fs:[00000030h] 0_2_00455C0E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0045095E mov eax, dword ptr fs:[00000030h] 0_2_0045095E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00456B3E mov eax, dword ptr fs:[00000030h] 0_2_00456B3E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02084FA0 mov eax, dword ptr fs:[00000030h] 0_2_02084FA0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_02084070 mov eax, dword ptr fs:[00000030h] 0_2_02084070
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00450456 mov eax, dword ptr fs:[00000030h] 0_2_00450456
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00455C0E mov eax, dword ptr fs:[00000030h] 0_2_00455C0E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0045095E mov eax, dword ptr fs:[00000030h] 0_2_0045095E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00456B3E mov eax, dword ptr fs:[00000030h] 0_2_00456B3E
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D0456 mov eax, dword ptr fs:[00000030h] 1_2_004D0456
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D5C0E mov eax, dword ptr fs:[00000030h] 1_2_004D5C0E
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D095E mov eax, dword ptr fs:[00000030h] 1_2_004D095E
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_004D6B3E mov eax, dword ptr fs:[00000030h] 1_2_004D6B3E
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00402D2E GetStartupInfoW,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,__amsg_exit,__amsg_exit,__cinit,__amsg_exit, 0_2_00402D2E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00402D2E GetStartupInfoW,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,__amsg_exit,__amsg_exit,__cinit,__amsg_exit, 0_2_00402D2E
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00402899 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00402899
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040625E SetUnhandledExceptionFilter, 0_2_0040625E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040623C SetUnhandledExceptionFilter, 0_2_0040623C
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040372F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040372F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00408BB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00408BB8
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00402899 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00402899
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040625E SetUnhandledExceptionFilter, 0_2_0040625E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040623C SetUnhandledExceptionFilter, 0_2_0040623C
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_0040372F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040372F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00408BB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00408BB8
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_00402899 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00402899
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_0040625E SetUnhandledExceptionFilter, 1_2_0040625E
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_0040623C SetUnhandledExceptionFilter, 1_2_0040623C
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_0040372F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0040372F
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: 1_2_00408BB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00408BB8
Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00408922 cpuid 0_2_00408922
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00408922 cpuid 0_2_00408922
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA, 0_2_0040CCC7
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA, 0_2_0040CC9F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA, 0_2_0040A146
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA, 0_2_0040A500
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 0_2_0040A5BF
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: _GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA, 0_2_0040A660
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA, 0_2_0040CA78
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: _strlen,EnumSystemLocalesA, 0_2_0040A624
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA, 0_2_0040A228
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,GetLocaleInfoA,MultiByteToWideChar, 0_2_00408E2E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLastError,__invoke_watson,___crtGetLocaleInfoA, 0_2_00406AC5
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA,_strlen, 0_2_0040A2BE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen, 0_2_0040A330
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 0_2_00408FA4
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA, 0_2_0040CCC7
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA, 0_2_0040CC9F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA, 0_2_0040A146
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA, 0_2_0040A500
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 0_2_0040A5BF
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: _GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA, 0_2_0040A660
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA, 0_2_0040CA78
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: _strlen,EnumSystemLocalesA, 0_2_0040A624
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA, 0_2_0040A228
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,GetLocaleInfoA,MultiByteToWideChar, 0_2_00408E2E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLastError,__invoke_watson,___crtGetLocaleInfoA, 0_2_00406AC5
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA,_strlen, 0_2_0040A2BE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen, 0_2_0040A330
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 0_2_00408FA4
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: GetLocaleInfoA, 1_2_0040CCC7
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: GetLocaleInfoA, 1_2_0040CC9F
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: GetLocaleInfoA, 1_2_0040A146
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: GetLocaleInfoA, 1_2_0040A500
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 1_2_0040A5BF
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: _GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA, 1_2_0040A660
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: GetLocaleInfoA, 1_2_0040CA78
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: _strlen,EnumSystemLocalesA, 1_2_0040A624
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: GetLocaleInfoA, 1_2_0040A228
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,GetLocaleInfoA,MultiByteToWideChar, 1_2_00408E2E
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: GetLastError,__invoke_watson,___crtGetLocaleInfoA, 1_2_00406AC5
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: GetLocaleInfoA,_strlen, 1_2_0040A2BE
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen, 1_2_0040A330
Source: C:\Windows\SysWOW64\irclass\iasads.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 1_2_00408FA4
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\irclass\iasads.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\irclass\iasads.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00405FBE GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00405FBE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00405FBE GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00405FBE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00402D2E GetStartupInfoW,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,__amsg_exit,__amsg_exit,__cinit,__amsg_exit, 0_2_00402D2E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Code function: 0_2_00402D2E GetStartupInfoW,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,__amsg_exit,__amsg_exit,__cinit,__amsg_exit, 0_2_00402D2E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000000.00000002.649652893.0000000000450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.915855087.00000000005C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.650061400.0000000002081000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.915728577.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.915895219.00000000005E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.649752129.00000000004B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.iasads.exe.5e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.017088f2dc57fbcba5bc1a1e4eb70a6e.exe.2080000.1.unpack, type: UNPACKEDPE