Analysis Report 017088f2dc57fbcba5bc1a1e4eb70a6e

Overview

General Information

Sample Name:	017088f2dc57fbcba5bc1a1e4eb70a6e (renamed file extension from none to exe)
Analysis ID:	318767
MD5:	71d8c3b29cc7f125e735023717ded1cb
SHA1:	4137c2fe0e64e575579f1231510f8731cb47aab1
SHA256:	10629343c29e459c9990854a634e5bb6ce9563f6c31ffc8b24b178495ca9b000
Most interesting Screenshot:

Detection

Emotet

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Emotet

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.649652893.0000000000450000.00000040.00000001.sdmp	Malware Configuration Extractor: Emotet {"C2 list": ["70.116.143.84:80", "51.75.33.127:80", "37.157.196.117:7080", "116.202.23.3:8080", "187.162.248.237:80", "204.225.249.100:7080", "67.247.242.247:80", "192.241.146.84:8080", "178.250.54.208:8080", "188.135.15.49:80", "77.238.212.227:80", "152.169.22.67:80", "186.103.141.250:443", "82.76.111.249:443", "213.197.182.158:8080", "201.213.177.139:80", "74.136.144.133:80", "72.47.248.48:7080", "51.38.124.206:80", "190.24.243.186:80", "174.113.69.136:80", "192.81.38.31:80", "68.69.155.181:80", "45.16.226.117:443", "111.67.12.221:8080", "83.169.21.32:7080", "82.230.1.24:80", "51.255.165.160:8080", "70.32.115.157:8080", "61.92.159.208:8080", "191.182.6.118:80", "77.90.136.129:8080", "181.129.96.162:8080", "45.46.37.97:80", "68.183.170.114:8080", "190.117.79.209:80", "192.241.143.52:8080", "65.36.62.20:80", "185.94.252.27:443", "96.245.123.149:80", "185.215.227.107:443", "70.32.84.74:8080", "190.2.31.172:80", "104.131.41.185:8080", "189.2.177.210:443", "190.163.31.26:80", "92.24.50.153:80", "185.183.16.47:80", "119.106.216.84:80", "60.108.144.104:443", "104.131.103.37:8080", "80.11.164.185:80", "212.71.237.140:8080", "185.94.252.12:80", "1.226.84.243:8080", "177.74.228.34:80", "111.67.77.202:8080", "199.203.62.165:80", "5.196.35.138:7080", "217.199.160.224:7080", "91.105.94.200:80", "190.115.18.139:8080", "220.109.145.69:80", "138.97.60.141:7080", "60.93.23.51:80", "74.58.215.226:80", "78.249.119.122:80", "5.189.178.202:8080", "219.92.13.25:80", "38.88.126.202:8080", "96.227.52.8:443", "64.201.88.132:80", "181.30.61.163:443", "95.9.180.128:80", "177.73.0.98:443", "202.4.58.197:80", "209.236.123.42:8080", "61.197.92.216:80", "170.81.48.2:80", "51.159.23.217:443", "123.51.47.18:80", "12.162.84.2:8080", "54.37.42.48:8080", "185.232.182.218:80", "87.106.46.107:8080", "217.13.106.14:8080", "137.74.106.111:7080", "68.183.190.199:8080", "51.15.7.189:80", "77.106.157.34:8080", "172.104.169.32:8080", "190.190.148.27:8080", "76.168.54.203:80", "2.36.95.106:80", "185.178.10.77:80", "50.28.51.143:8080", "35.143.99.174:80", "50.121.220.50:80", "45.33.77.42:8080", "98.13.75.196:80", "94.176.234.118:443", "155.186.0.121:80", "216.47.196.104:80", "70.116.143.84:80", "51.75.33.127:80", "37.157.196.117:7080", "116.202.23.3:8080", "187.162.248.237:80", "204.225.249.100:7080", "67.247.242.247:80", "192.241.146.84:8080", "178.250.54.208:8080", "188.135.15.49:80", "77.238.212.227:80", "152.169.22.67:80", "186.103.141.250:443", "82.76.111.249:443", "213.197.182.158:8080", "201.213.177.139:80", "74.136.144.133:80", "72.47.248.48:7080", "51.38.124.206:80", "190.24.243.186:80", "174.113.69.136:80", "192.81.38.31:80", "68.69.155.181:80", "45.16.226.117:443", "111.67.12.221:8080", "83.169.21.32:7080", "82.230.1.24:80", "51.255.165.160:8080", "70.32.115.157:8080", "61.92.159.208:8080", "191.182.6.118:80", "77.90.136.129:8080", "181.129.96.162:8080", "45.46.37.97:80", "68.183.170.114:8080", "190.117.79.209:80", "192.241.143.52:8080", "65.36.62.20:80", "185.94.252.27:4
Source: 00000000.00000002.649652893.0000000000450000.00000040.00000001.sdmp	Malware Configuration Extractor: Emotet {"C2 list": ["70.116.143.84:80", "51.75.33.127:80", "37.157.196.117:7080", "116.202.23.3:8080", "187.162.248.237:80", "204.225.249.100:7080", "67.247.242.247:80", "192.241.146.84:8080", "178.250.54.208:8080", "188.135.15.49:80", "77.238.212.227:80", "152.169.22.67:80", "186.103.141.250:443", "82.76.111.249:443", "213.197.182.158:8080", "201.213.177.139:80", "74.136.144.133:80", "72.47.248.48:7080", "51.38.124.206:80", "190.24.243.186:80", "174.113.69.136:80", "192.81.38.31:80", "68.69.155.181:80", "45.16.226.117:443", "111.67.12.221:8080", "83.169.21.32:7080", "82.230.1.24:80", "51.255.165.160:8080", "70.32.115.157:8080", "61.92.159.208:8080", "191.182.6.118:80", "77.90.136.129:8080", "181.129.96.162:8080", "45.46.37.97:80", "68.183.170.114:8080", "190.117.79.209:80", "192.241.143.52:8080", "65.36.62.20:80", "185.94.252.27:443", "96.245.123.149:80", "185.215.227.107:443", "70.32.84.74:8080", "190.2.31.172:80", "104.131.41.185:8080", "189.2.177.210:443", "190.163.31.26:80", "92.24.50.153:80", "185.183.16.47:80", "119.106.216.84:80", "60.108.144.104:443", "104.131.103.37:8080", "80.11.164.185:80", "212.71.237.140:8080", "185.94.252.12:80", "1.226.84.243:8080", "177.74.228.34:80", "111.67.77.202:8080", "199.203.62.165:80", "5.196.35.138:7080", "217.199.160.224:7080", "91.105.94.200:80", "190.115.18.139:8080", "220.109.145.69:80", "138.97.60.141:7080", "60.93.23.51:80", "74.58.215.226:80", "78.249.119.122:80", "5.189.178.202:8080", "219.92.13.25:80", "38.88.126.202:8080", "96.227.52.8:443", "64.201.88.132:80", "181.30.61.163:443", "95.9.180.128:80", "177.73.0.98:443", "202.4.58.197:80", "209.236.123.42:8080", "61.197.92.216:80", "170.81.48.2:80", "51.159.23.217:443", "123.51.47.18:80", "12.162.84.2:8080", "54.37.42.48:8080", "185.232.182.218:80", "87.106.46.107:8080", "217.13.106.14:8080", "137.74.106.111:7080", "68.183.190.199:8080", "51.15.7.189:80", "77.106.157.34:8080", "172.104.169.32:8080", "190.190.148.27:8080", "76.168.54.203:80", "2.36.95.106:80", "185.178.10.77:80", "50.28.51.143:8080", "35.143.99.174:80", "50.121.220.50:80", "45.33.77.42:8080", "98.13.75.196:80", "94.176.234.118:443", "155.186.0.121:80", "216.47.196.104:80", "70.116.143.84:80", "51.75.33.127:80", "37.157.196.117:7080", "116.202.23.3:8080", "187.162.248.237:80", "204.225.249.100:7080", "67.247.242.247:80", "192.241.146.84:8080", "178.250.54.208:8080", "188.135.15.49:80", "77.238.212.227:80", "152.169.22.67:80", "186.103.141.250:443", "82.76.111.249:443", "213.197.182.158:8080", "201.213.177.139:80", "74.136.144.133:80", "72.47.248.48:7080", "51.38.124.206:80", "190.24.243.186:80", "174.113.69.136:80", "192.81.38.31:80", "68.69.155.181:80", "45.16.226.117:443", "111.67.12.221:8080", "83.169.21.32:7080", "82.230.1.24:80", "51.255.165.160:8080", "70.32.115.157:8080", "61.92.159.208:8080", "191.182.6.118:80", "77.90.136.129:8080", "181.129.96.162:8080", "45.46.37.97:80", "68.183.170.114:8080", "190.117.79.209:80", "192.241.143.52:8080", "65.36.62.20:80", "185.94.252.27:4

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02083A00 _snwprintf,FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,		0_2_02083A00
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02083A00 _snwprintf,FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,		0_2_02083A00

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49741 -> 70.116.143.84:80
Source: Traffic	Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49756 -> 51.75.33.127:80
Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49759 -> 37.157.196.117:7080
Source: Traffic	Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.4:49764 -> 116.202.23.3:8080
Source: Traffic	Snort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.4:49765 -> 187.162.248.237:80
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49741 -> 70.116.143.84:80
Source: Traffic	Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49756 -> 51.75.33.127:80
Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49759 -> 37.157.196.117:7080
Source: Traffic	Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.4:49764 -> 116.202.23.3:8080
Source: Traffic	Snort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.4:49765 -> 187.162.248.237:80

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 37.157.196.117:7080
Source: global traffic	TCP traffic: 192.168.2.4:49764 -> 116.202.23.3:8080
Source: global traffic	TCP traffic: 192.168.2.4:49768 -> 204.225.249.100:7080
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 37.157.196.117:7080
Source: global traffic	TCP traffic: 192.168.2.4:49764 -> 116.202.23.3:8080
Source: global traffic	TCP traffic: 192.168.2.4:49768 -> 204.225.249.100:7080

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 204.225.249.100 204.225.249.100
Source: Joe Sandbox View	IP Address: 204.225.249.100 204.225.249.100

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: TWC-11427-TEXASUS TWC-11427-TEXASUS
Source: Joe Sandbox View	ASN Name: FIBRENOIRE-INTERNETCA FIBRENOIRE-INTERNETCA

Source: unknown	TCP traffic detected without corresponding DNS query: 70.116.143.84
Source: unknown	TCP traffic detected without corresponding DNS query: 70.116.143.84
Source: unknown	TCP traffic detected without corresponding DNS query: 70.116.143.84
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.33.127
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.33.127
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.33.127
Source: unknown	TCP traffic detected without corresponding DNS query: 37.157.196.117
Source: unknown	TCP traffic detected without corresponding DNS query: 37.157.196.117
Source: unknown	TCP traffic detected without corresponding DNS query: 37.157.196.117
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.23.3
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.23.3
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.23.3
Source: unknown	TCP traffic detected without corresponding DNS query: 187.162.248.237
Source: unknown	TCP traffic detected without corresponding DNS query: 187.162.248.237
Source: unknown	TCP traffic detected without corresponding DNS query: 187.162.248.237
Source: unknown	TCP traffic detected without corresponding DNS query: 204.225.249.100
Source: unknown	TCP traffic detected without corresponding DNS query: 204.225.249.100
Source: unknown	TCP traffic detected without corresponding DNS query: 204.225.249.100
Source: unknown	TCP traffic detected without corresponding DNS query: 67.247.242.247
Source: unknown	TCP traffic detected without corresponding DNS query: 67.247.242.247
Source: unknown	TCP traffic detected without corresponding DNS query: 67.247.242.247
Source: unknown	TCP traffic detected without corresponding DNS query: 70.116.143.84
Source: unknown	TCP traffic detected without corresponding DNS query: 70.116.143.84
Source: unknown	TCP traffic detected without corresponding DNS query: 70.116.143.84
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.33.127
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.33.127
Source: unknown	TCP traffic detected without corresponding DNS query: 51.75.33.127
Source: unknown	TCP traffic detected without corresponding DNS query: 37.157.196.117
Source: unknown	TCP traffic detected without corresponding DNS query: 37.157.196.117
Source: unknown	TCP traffic detected without corresponding DNS query: 37.157.196.117
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.23.3
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.23.3
Source: unknown	TCP traffic detected without corresponding DNS query: 116.202.23.3
Source: unknown	TCP traffic detected without corresponding DNS query: 187.162.248.237
Source: unknown	TCP traffic detected without corresponding DNS query: 187.162.248.237
Source: unknown	TCP traffic detected without corresponding DNS query: 187.162.248.237
Source: unknown	TCP traffic detected without corresponding DNS query: 204.225.249.100
Source: unknown	TCP traffic detected without corresponding DNS query: 204.225.249.100
Source: unknown	TCP traffic detected without corresponding DNS query: 204.225.249.100
Source: unknown	TCP traffic detected without corresponding DNS query: 67.247.242.247
Source: unknown	TCP traffic detected without corresponding DNS query: 67.247.242.247
Source: unknown	TCP traffic detected without corresponding DNS query: 67.247.242.247

Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.741023232.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z\|\|.\|\|18ebec36-1675-40c0-a5d4-25e9e774360f\|\|1152921505692410033\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.741023232.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z\|\|.\|\|18ebec36-1675-40c0-a5d4-25e9e774360f\|\|1152921505692410033\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.741023232.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z\|\|.\|\|18ebec36-1675-40c0-a5d4-25e9e774360f\|\|1152921505692410033\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.741023232.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z\|\|.\|\|18ebec36-1675-40c0-a5d4-25e9e774360f\|\|1152921505692410033\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.741064408.0000021B9F158000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName

Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://116.202.23.3:8080/r5KB/0fQxMGG/Oupq9wOs13sfWiBD/gc5Vty/vE4jSTsXgNE/
Source: iasads.exe, 00000001.00000002.916557279.0000000002796000.00000004.00000001.sdmp	String found in binary or memory: http://116.202.23.3:8080/r5KB/0fQxMGG/Oupq9wOs13sfWiBD/gc5Vty/vE4jSTsXgNE/u
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/=
Source: iasads.exe, 00000001.00000002.916557279.0000000002796000.00000004.00000001.sdmp	String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/E/6lK/8Dak6W77/Y
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/M
Source: iasads.exe, 00000001.00000002.916602786.00000000029B0000.00000004.00000001.sdmp	String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp	String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/OF
Source: iasads.exe, 00000001.00000002.916602786.00000000029B0000.00000004.00000001.sdmp	String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/sfWiBD/gc5Vty/vE4jSTsXgNE//WJ
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp	String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/xF
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://37.157.196.117:7080/4bCOBIUt7s6cU6Jvgi/JXp5up/UcWzB5cPiQ7/
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://37.157.196.117:7080/4bCOBIUt7s6cU6Jvgi/JXp5up/UcWzB5cPiQ7/W77/
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://37.157.196.117:7080/4bCOBIUt7s6cU6Jvgi/JXp5up/UcWzB5cPiQ7/l
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://51.75.33.127/8sSmjBYNtGcEZxZ/eYwGzHgfgD2/k3qhHh1Z66lK/8Dak6W77/
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://51.75.33.127/8sSmjBYNtGcEZxZ/eYwGzHgfgD2/k3qhHh1Z66lK/8Dak6W77/&
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp	String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw//W
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp	String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/RF
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp	String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/TW6
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp	String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/uF-
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740220945.0000021B9F158000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://116.202.23.3:8080/r5KB/0fQxMGG/Oupq9wOs13sfWiBD/gc5Vty/vE4jSTsXgNE/
Source: iasads.exe, 00000001.00000002.916557279.0000000002796000.00000004.00000001.sdmp	String found in binary or memory: http://116.202.23.3:8080/r5KB/0fQxMGG/Oupq9wOs13sfWiBD/gc5Vty/vE4jSTsXgNE/u
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/=
Source: iasads.exe, 00000001.00000002.916557279.0000000002796000.00000004.00000001.sdmp	String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/E/6lK/8Dak6W77/Y
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://187.162.248.237/XJFVnzq0tWbi4P1dAy/IRC6lowLxMM/fdYt39ymlvWVTQYj/M
Source: iasads.exe, 00000001.00000002.916602786.00000000029B0000.00000004.00000001.sdmp	String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp	String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/OF
Source: iasads.exe, 00000001.00000002.916602786.00000000029B0000.00000004.00000001.sdmp	String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/sfWiBD/gc5Vty/vE4jSTsXgNE//WJ
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp	String found in binary or memory: http://204.225.249.100:7080/FlxTxTrqonw/nTpA5A/xF
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://37.157.196.117:7080/4bCOBIUt7s6cU6Jvgi/JXp5up/UcWzB5cPiQ7/
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://37.157.196.117:7080/4bCOBIUt7s6cU6Jvgi/JXp5up/UcWzB5cPiQ7/W77/
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://37.157.196.117:7080/4bCOBIUt7s6cU6Jvgi/JXp5up/UcWzB5cPiQ7/l
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://51.75.33.127/8sSmjBYNtGcEZxZ/eYwGzHgfgD2/k3qhHh1Z66lK/8Dak6W77/
Source: iasads.exe, 00000001.00000003.804234417.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://51.75.33.127/8sSmjBYNtGcEZxZ/eYwGzHgfgD2/k3qhHh1Z66lK/8Dak6W77/&
Source: iasads.exe, 00000001.00000002.916621392.00000000029C5000.00000004.00000001.sdmp	String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp	String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw//W
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp	String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/RF
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp	String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/TW6
Source: iasads.exe, 00000001.00000002.916609161.00000000029B2000.00000004.00000001.sdmp	String found in binary or memory: http://67.247.242.247/Nqho6zVhUJa6C/pkDuvZ3V25O0/dQiyn4/SItPGhKeY/osclJh1TuJMbKe/xRD4ArEWbw/uF-
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000006.00000003.733406954.0000021B9F126000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740220945.0000021B9F158000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000006.00000003.733083436.0000021B9F169000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733139877.0000021B9F19B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.733009521.0000021B9F17B000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000006.00000003.732219234.0000021B9F19C000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000006.00000003.740201564.0000021B9F185000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.740176639.0000021B9F169000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 00000000.00000002.649652893.0000000000450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.915855087.00000000005C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.650061400.0000000002081000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.915728577.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.915895219.00000000005E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.649752129.00000000004B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.iasads.exe.5e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.017088f2dc57fbcba5bc1a1e4eb70a6e.exe.2080000.1.unpack, type: UNPACKEDPE

System Summary:

Creates files inside the system directory

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	File created: C:\Windows\SysWOW64\irclass\			Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	File created: C:\Windows\SysWOW64\irclass\			Jump to behavior

Deletes files inside the Windows folder

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	File deleted: C:\Windows\SysWOW64\irclass\iasads.exe:Zone.Identifier			Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	File deleted: C:\Windows\SysWOW64\irclass\iasads.exe:Zone.Identifier			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040A843	0_2_0040A843
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040442C	0_2_0040442C
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040B0EA	0_2_0040B0EA
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040B4F6	0_2_0040B4F6
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040AD16	0_2_0040AD16
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040B916	0_2_0040B916
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00404A50	0_2_00404A50
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02088410	0_2_02088410
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02083E20	0_2_02083E20
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02086660	0_2_02086660
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02087820	0_2_02087820
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02084070	0_2_02084070
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02083C70	0_2_02083C70
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02081C90	0_2_02081C90
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02084097	0_2_02084097
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00455C0E	0_2_00455C0E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0045580E	0_2_0045580E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0045382E	0_2_0045382E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00455C35	0_2_00455C35
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_004581FE	0_2_004581FE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_004559BE	0_2_004559BE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00459FAE	0_2_00459FAE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_004593BE	0_2_004593BE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040A843	0_2_0040A843
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040442C	0_2_0040442C
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040B0EA	0_2_0040B0EA
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040B4F6	0_2_0040B4F6
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040AD16	0_2_0040AD16
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040B916	0_2_0040B916
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00404A50	0_2_00404A50
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02088410	0_2_02088410
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02083E20	0_2_02083E20
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02086660	0_2_02086660
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02087820	0_2_02087820
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02084070	0_2_02084070
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02083C70	0_2_02083C70
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02081C90	0_2_02081C90
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02084097	0_2_02084097
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00455C0E	0_2_00455C0E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0045580E	0_2_0045580E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0045382E	0_2_0045382E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00455C35	0_2_00455C35
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_004581FE	0_2_004581FE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_004559BE	0_2_004559BE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00459FAE	0_2_00459FAE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_004593BE	0_2_004593BE
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_0040A843	1_2_0040A843
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_0040442C	1_2_0040442C
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_0040B0EA	1_2_0040B0EA
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_0040B4F6	1_2_0040B4F6
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_0040AD16	1_2_0040AD16
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_0040B916	1_2_0040B916
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_00404A50	1_2_00404A50
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D5C0E	1_2_004D5C0E
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D580E	1_2_004D580E
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D382E	1_2_004D382E
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D5C35	1_2_004D5C35
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D81FE	1_2_004D81FE
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D59BE	1_2_004D59BE
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D9FAE	1_2_004D9FAE
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D93BE	1_2_004D93BE

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: String function: 004049F0 appears 48 times
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: String function: 004049F0 appears 48 times
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: String function: 004049F0 appears 48 times

PE file contains strange resources

Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe, 00000000.00000002.650872949.0000000002A10000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe, 00000000.00000002.650872949.0000000002A10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe, 00000000.00000002.650711663.0000000002910000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe, 00000000.00000002.650872949.0000000002A10000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe, 00000000.00000002.650872949.0000000002A10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe, 00000000.00000002.650711663.0000000002910000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 017088f2dc57fbcba5bc1a1e4eb70a6e.exe

Source: classification engine

Classification label: mal72.troj.evad.winEXE@6/0@0/8

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: CreateServiceW,_snwprintf,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,		0_2_02088950
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: CreateServiceW,_snwprintf,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,		0_2_02088950

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_020851F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,GetProcessHeap,HeapFree,		0_2_020851F0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_020851F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,GetProcessHeap,HeapFree,		0_2_020851F0

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto			Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto			Jump to behavior

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Command line argument: kernel32.dll	0_2_004017D0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Command line argument: lhxXfY9mIrDZ	0_2_004017D0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Command line argument: kernel32.dll	0_2_004017D0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Command line argument: lhxXfY9mIrDZ	0_2_004017D0
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Command line argument: kernel32.dll	1_2_004017D0
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Command line argument: lhxXfY9mIrDZ	1_2_004017D0

Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	File read: C:\Users\desktop.ini			Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	File read: C:\Users\desktop.ini			Jump to behavior

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe 'C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\irclass\iasads.exe C:\Windows\SysWOW64\irclass\iasads.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Process created: C:\Windows\SysWOW64\irclass\iasads.exe C:\Windows\SysWOW64\irclass\iasads.exe	Jump to behavior
Source: unknown	Process created: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe 'C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\irclass\iasads.exe C:\Windows\SysWOW64\irclass\iasads.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Process created: C:\Windows\SysWOW64\irclass\iasads.exe C:\Windows\SysWOW64\irclass\iasads.exe	Jump to behavior

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32			Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32			Jump to behavior

Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\users\dodo\downloads\systraydemosrc\systraydemo\release\SysTrayDemo.pdb source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source:	Binary string: c:\users\dodo\downloads\systraydemosrc\systraydemo\release\SysTrayDemo.pdb source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source:	Binary string: c:\users\dodo\downloads\systraydemosrc\systraydemo\release\SysTrayDemo.pdb source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe
Source:	Binary string: c:\users\dodo\downloads\systraydemosrc\systraydemo\release\SysTrayDemo.pdb source: 017088f2dc57fbcba5bc1a1e4eb70a6e.exe

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_004016C0 LoadLibraryW,GetProcAddress,		0_2_004016C0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_004016C0 LoadLibraryW,GetProcAddress,		0_2_004016C0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040F4AF push ecx; ret	0_2_0040F4C2
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00404A35 push ecx; ret	0_2_00404A48
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02085EA0 push ecx; mov dword ptr [esp], 0000814Ch	0_2_02085EA1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02085EF0 push ecx; mov dword ptr [esp], 00003778h	0_2_02085EF1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02085F10 push ecx; mov dword ptr [esp], 0000F389h	0_2_02085F11
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02085F60 push ecx; mov dword ptr [esp], 00003EC8h	0_2_02085F61
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02085F90 push ecx; mov dword ptr [esp], 000035FCh	0_2_02085F91
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02085FB0 push ecx; mov dword ptr [esp], 0000DF00h	0_2_02085FB1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02085FD0 push ecx; mov dword ptr [esp], 00002377h	0_2_02085FD1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02086010 push ecx; mov dword ptr [esp], 0000F183h	0_2_02086011
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02086070 push ecx; mov dword ptr [esp], 0000AEACh	0_2_02086071
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_020860C0 push ecx; mov dword ptr [esp], 0000CA5Ch	0_2_020860C1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_020860F0 push ecx; mov dword ptr [esp], 000009D3h	0_2_020860F1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457C5E push ecx; mov dword ptr [esp], 0000CA5Ch	0_2_00457C5F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457C0E push ecx; mov dword ptr [esp], 0000AEACh	0_2_00457C0F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457C8E push ecx; mov dword ptr [esp], 000009D3h	0_2_00457C8F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457A3E push ecx; mov dword ptr [esp], 0000814Ch	0_2_00457A3F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457AFE push ecx; mov dword ptr [esp], 00003EC8h	0_2_00457AFF
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457A8E push ecx; mov dword ptr [esp], 00003778h	0_2_00457A8F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457AAE push ecx; mov dword ptr [esp], 0000F389h	0_2_00457AAF
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457B4E push ecx; mov dword ptr [esp], 0000DF00h	0_2_00457B4F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457B6E push ecx; mov dword ptr [esp], 00002377h	0_2_00457B6F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457B2E push ecx; mov dword ptr [esp], 000035FCh	0_2_00457B2F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457BAE push ecx; mov dword ptr [esp], 0000F183h	0_2_00457BAF
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040F4AF push ecx; ret	0_2_0040F4C2
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00404A35 push ecx; ret	0_2_00404A48
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02085EA0 push ecx; mov dword ptr [esp], 0000814Ch	0_2_02085EA1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02085EF0 push ecx; mov dword ptr [esp], 00003778h	0_2_02085EF1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02085F10 push ecx; mov dword ptr [esp], 0000F389h	0_2_02085F11
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02085F60 push ecx; mov dword ptr [esp], 00003EC8h	0_2_02085F61
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02085F90 push ecx; mov dword ptr [esp], 000035FCh	0_2_02085F91
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02085FB0 push ecx; mov dword ptr [esp], 0000DF00h	0_2_02085FB1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02085FD0 push ecx; mov dword ptr [esp], 00002377h	0_2_02085FD1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02086010 push ecx; mov dword ptr [esp], 0000F183h	0_2_02086011
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02086070 push ecx; mov dword ptr [esp], 0000AEACh	0_2_02086071
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_020860C0 push ecx; mov dword ptr [esp], 0000CA5Ch	0_2_020860C1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_020860F0 push ecx; mov dword ptr [esp], 000009D3h	0_2_020860F1
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457C5E push ecx; mov dword ptr [esp], 0000CA5Ch	0_2_00457C5F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457C0E push ecx; mov dword ptr [esp], 0000AEACh	0_2_00457C0F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457C8E push ecx; mov dword ptr [esp], 000009D3h	0_2_00457C8F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457A3E push ecx; mov dword ptr [esp], 0000814Ch	0_2_00457A3F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457AFE push ecx; mov dword ptr [esp], 00003EC8h	0_2_00457AFF
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457A8E push ecx; mov dword ptr [esp], 00003778h	0_2_00457A8F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457AAE push ecx; mov dword ptr [esp], 0000F389h	0_2_00457AAF
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457B4E push ecx; mov dword ptr [esp], 0000DF00h	0_2_00457B4F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457B6E push ecx; mov dword ptr [esp], 00002377h	0_2_00457B6F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457B2E push ecx; mov dword ptr [esp], 000035FCh	0_2_00457B2F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00457BAE push ecx; mov dword ptr [esp], 0000F183h	0_2_00457BAF
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_0040F4AF push ecx; ret	1_2_0040F4C2
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_00404A35 push ecx; ret	1_2_00404A48
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D7C5E push ecx; mov dword ptr [esp], 0000CA5Ch	1_2_004D7C5F
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D7C0E push ecx; mov dword ptr [esp], 0000AEACh	1_2_004D7C0F
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D7C8E push ecx; mov dword ptr [esp], 000009D3h	1_2_004D7C8F
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D7A3E push ecx; mov dword ptr [esp], 0000814Ch	1_2_004D7A3F
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D7AFE push ecx; mov dword ptr [esp], 00003EC8h	1_2_004D7AFF

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Executable created and started: C:\Windows\SysWOW64\irclass\iasads.exe			Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Executable created and started: C:\Windows\SysWOW64\irclass\iasads.exe			Jump to behavior

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	PE file moved: C:\Windows\SysWOW64\irclass\iasads.exe			Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	PE file moved: C:\Windows\SysWOW64\irclass\iasads.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	File opened: C:\Windows\SysWOW64\irclass\iasads.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	File opened: C:\Windows\SysWOW64\irclass\iasads.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,GetProcessHeap,HeapFree,		0_2_020851F0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,GetProcessHeap,HeapFree,		0_2_020851F0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6808	Thread sleep time: -210000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6808	Thread sleep time: -210000s >= -30000s			Jump to behavior

Program does not show much activity (idle)

Source: all processes	Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes	Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02083A00 _snwprintf,FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,		0_2_02083A00
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02083A00 _snwprintf,FindNextFileW,FindNextFileW,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,		0_2_02083A00

Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000006.00000002.752353632.0000021B9EA7D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW0
Source: iasads.exe, 00000001.00000003.804173451.00000000029D3000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.752428191.0000021B9EAC7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000006.00000002.752353632.0000021B9EA7D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW0
Source: iasads.exe, 00000001.00000003.804173451.00000000029D3000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.752428191.0000021B9EAC7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000003.00000002.705231520.0000023CACF40000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.719319781.00000231ABB40000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.753212853.0000021B9F800000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\irclass\iasads.exe	Process information queried: ProcessInformation			Jump to behavior
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Process information queried: ProcessInformation			Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00402899 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00402899
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00402899 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00402899

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_004016C0 LoadLibraryW,GetProcAddress,		0_2_004016C0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_004016C0 LoadLibraryW,GetProcAddress,		0_2_004016C0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02084FA0 mov eax, dword ptr fs:[00000030h]	0_2_02084FA0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02084070 mov eax, dword ptr fs:[00000030h]	0_2_02084070
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00450456 mov eax, dword ptr fs:[00000030h]	0_2_00450456
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00455C0E mov eax, dword ptr fs:[00000030h]	0_2_00455C0E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0045095E mov eax, dword ptr fs:[00000030h]	0_2_0045095E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00456B3E mov eax, dword ptr fs:[00000030h]	0_2_00456B3E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02084FA0 mov eax, dword ptr fs:[00000030h]	0_2_02084FA0
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_02084070 mov eax, dword ptr fs:[00000030h]	0_2_02084070
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00450456 mov eax, dword ptr fs:[00000030h]	0_2_00450456
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00455C0E mov eax, dword ptr fs:[00000030h]	0_2_00455C0E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0045095E mov eax, dword ptr fs:[00000030h]	0_2_0045095E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00456B3E mov eax, dword ptr fs:[00000030h]	0_2_00456B3E
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D0456 mov eax, dword ptr fs:[00000030h]	1_2_004D0456
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D5C0E mov eax, dword ptr fs:[00000030h]	1_2_004D5C0E
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D095E mov eax, dword ptr fs:[00000030h]	1_2_004D095E
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_004D6B3E mov eax, dword ptr fs:[00000030h]	1_2_004D6B3E

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00402D2E GetStartupInfoW,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,__amsg_exit,__amsg_exit,__cinit,__amsg_exit,		0_2_00402D2E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00402D2E GetStartupInfoW,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,__amsg_exit,__amsg_exit,__cinit,__amsg_exit,		0_2_00402D2E

Program does not show much activity (idle)

Source: all processes	Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes	Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00402899 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00402899
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040625E SetUnhandledExceptionFilter,	0_2_0040625E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040623C SetUnhandledExceptionFilter,	0_2_0040623C
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040372F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040372F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00408BB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00408BB8
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00402899 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00402899
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040625E SetUnhandledExceptionFilter,	0_2_0040625E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040623C SetUnhandledExceptionFilter,	0_2_0040623C
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_0040372F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040372F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00408BB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00408BB8
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_00402899 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00402899
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_0040625E SetUnhandledExceptionFilter,	1_2_0040625E
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_0040623C SetUnhandledExceptionFilter,	1_2_0040623C
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_0040372F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0040372F
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: 1_2_00408BB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00408BB8

Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: iasads.exe, 00000001.00000002.916087067.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00408922 cpuid		0_2_00408922
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00408922 cpuid		0_2_00408922

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,	0_2_0040CCC7
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,	0_2_0040CC9F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,	0_2_0040A146
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,	0_2_0040A500
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: _strlen,_strlen,EnumSystemLocalesA,	0_2_0040A5BF
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: _GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,	0_2_0040A660
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,	0_2_0040CA78
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: _strlen,EnumSystemLocalesA,	0_2_0040A624
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,	0_2_0040A228
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,GetLocaleInfoA,MultiByteToWideChar,	0_2_00408E2E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLastError,__invoke_watson,___crtGetLocaleInfoA,	0_2_00406AC5
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,_strlen,	0_2_0040A2BE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,	0_2_0040A330
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,	0_2_00408FA4
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,	0_2_0040CCC7
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,	0_2_0040CC9F
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,	0_2_0040A146
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,	0_2_0040A500
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: _strlen,_strlen,EnumSystemLocalesA,	0_2_0040A5BF
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: _GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,	0_2_0040A660
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,	0_2_0040CA78
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: _strlen,EnumSystemLocalesA,	0_2_0040A624
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,	0_2_0040A228
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,GetLocaleInfoA,MultiByteToWideChar,	0_2_00408E2E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLastError,__invoke_watson,___crtGetLocaleInfoA,	0_2_00406AC5
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,_strlen,	0_2_0040A2BE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,	0_2_0040A330
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,	0_2_00408FA4
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: GetLocaleInfoA,	1_2_0040CCC7
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: GetLocaleInfoA,	1_2_0040CC9F
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: GetLocaleInfoA,	1_2_0040A146
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: GetLocaleInfoA,	1_2_0040A500
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: _strlen,_strlen,EnumSystemLocalesA,	1_2_0040A5BF
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: _GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,	1_2_0040A660
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: GetLocaleInfoA,	1_2_0040CA78
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: _strlen,EnumSystemLocalesA,	1_2_0040A624
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: GetLocaleInfoA,	1_2_0040A228
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,GetLocaleInfoA,MultiByteToWideChar,	1_2_00408E2E
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: GetLastError,__invoke_watson,___crtGetLocaleInfoA,	1_2_00406AC5
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: GetLocaleInfoA,_strlen,	1_2_0040A2BE
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,	1_2_0040A330
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,	1_2_00408FA4

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\irclass\iasads.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\irclass\iasads.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00405FBE GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,		0_2_00405FBE
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00405FBE GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,		0_2_00405FBE

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00402D2E GetStartupInfoW,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,__amsg_exit,__amsg_exit,__cinit,__amsg_exit,		0_2_00402D2E
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Code function: 0_2_00402D2E GetStartupInfoW,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,__amsg_exit,__amsg_exit,__cinit,__amsg_exit,		0_2_00402D2E

Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior
Source: C:\Users\user\Desktop\017088f2dc57fbcba5bc1a1e4eb70a6e.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 00000000.00000002.649652893.0000000000450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.915855087.00000000005C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.650061400.0000000002081000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.915728577.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.915895219.00000000005E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.649752129.00000000004B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.iasads.exe.5e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.017088f2dc57fbcba5bc1a1e4eb70a6e.exe.2080000.1.unpack, type: UNPACKEDPE

Analysis Report 017088f2dc57fbcba5bc1a1e4eb70a6e

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots