Analysis Report e5ad48f310b56ceb013a30be125d967e

Overview

General Information

Sample Name: e5ad48f310b56ceb013a30be125d967e (renamed file extension from none to exe)
Analysis ID: 318838
MD5: 54240ca91f41e8fd4a3464544f37343a
SHA1: 52f5b7488b593e17f772bbfebc072d7846465492
SHA256: 99e89e6aeb74c22f8ee874570b6db414d1137f005c53196bb73014c1bed2f2b3

Most interesting Screenshot:

Detection

Emotet
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains capabilities to detect virtual machines
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_004025E0 CryptAcquireContextA,CryptAcquireContextA, 1_2_004025E0
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_004025E0 CryptAcquireContextA,CryptAcquireContextA, 1_2_004025E0
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_004025E0 CryptAcquireContextA,CryptAcquireContextA, 2_2_004025E0
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02262220 memcpy,CryptGetHashParam,CryptExportKey,CryptDestroyHash,CryptDuplicateHash,GetProcessHeap,HeapFree, 2_2_02262220
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_022625A0 CryptCreateHash,GetProcessHeap,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,GetProcessHeap,HeapFree, 2_2_022625A0
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02261F60 memcpy,CryptDuplicateHash,CryptDestroyHash,GetProcessHeap,HeapFree, 2_2_02261F60
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00422DBE __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 1_2_00422DBE
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02473890 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 1_2_02473890
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00422DBE __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 1_2_00422DBE
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02473890 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 1_2_02473890
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_00422DBE __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 2_2_00422DBE
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02263890 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 2_2_02263890

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.4:49742 -> 12.30.50.130:80
Source: Traffic Snort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.4:49762 -> 139.59.67.118:443
Source: Traffic Snort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.4:49763 -> 94.23.216.33:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49764 -> 70.121.172.89:80
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.4:49768 -> 83.169.36.251:8080
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.4:49742 -> 12.30.50.130:80
Source: Traffic Snort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.4:49762 -> 139.59.67.118:443
Source: Traffic Snort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.4:49763 -> 94.23.216.33:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49764 -> 70.121.172.89:80
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.4:49768 -> 83.169.36.251:8080
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49746 -> 120.138.30.150:8080
Source: global traffic TCP traffic: 192.168.2.4:49768 -> 83.169.36.251:8080
Source: global traffic TCP traffic: 192.168.2.4:49746 -> 120.138.30.150:8080
Source: global traffic TCP traffic: 192.168.2.4:49768 -> 83.169.36.251:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 120.138.30.150 120.138.30.150
Source: Joe Sandbox View IP Address: 120.138.30.150 120.138.30.150
Source: Joe Sandbox View IP Address: 120.138.30.150 120.138.30.150
Source: Joe Sandbox View IP Address: 120.138.30.150 120.138.30.150
Source: Joe Sandbox View IP Address: 70.121.172.89 70.121.172.89
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TWC-11427-TEXASUS TWC-11427-TEXASUS
Source: Joe Sandbox View ASN Name: TWC-11427-TEXASUS TWC-11427-TEXASUS
Source: unknown TCP traffic detected without corresponding DNS query: 12.30.50.130
Source: unknown TCP traffic detected without corresponding DNS query: 12.30.50.130
Source: unknown TCP traffic detected without corresponding DNS query: 12.30.50.130
Source: unknown TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown TCP traffic detected without corresponding DNS query: 139.59.67.118
Source: unknown TCP traffic detected without corresponding DNS query: 139.59.67.118
Source: unknown TCP traffic detected without corresponding DNS query: 139.59.67.118
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.216.33
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.216.33
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.216.33
Source: unknown TCP traffic detected without corresponding DNS query: 70.121.172.89
Source: unknown TCP traffic detected without corresponding DNS query: 70.121.172.89
Source: unknown TCP traffic detected without corresponding DNS query: 70.121.172.89
Source: unknown TCP traffic detected without corresponding DNS query: 139.130.242.43
Source: unknown TCP traffic detected without corresponding DNS query: 139.130.242.43
Source: unknown TCP traffic detected without corresponding DNS query: 139.130.242.43
Source: unknown TCP traffic detected without corresponding DNS query: 83.169.36.251
Source: unknown TCP traffic detected without corresponding DNS query: 83.169.36.251
Source: unknown TCP traffic detected without corresponding DNS query: 12.30.50.130
Source: unknown TCP traffic detected without corresponding DNS query: 12.30.50.130
Source: unknown TCP traffic detected without corresponding DNS query: 12.30.50.130
Source: unknown TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown TCP traffic detected without corresponding DNS query: 139.59.67.118
Source: unknown TCP traffic detected without corresponding DNS query: 139.59.67.118
Source: unknown TCP traffic detected without corresponding DNS query: 139.59.67.118
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.216.33
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.216.33
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.216.33
Source: unknown TCP traffic detected without corresponding DNS query: 70.121.172.89
Source: unknown TCP traffic detected without corresponding DNS query: 70.121.172.89
Source: unknown TCP traffic detected without corresponding DNS query: 70.121.172.89
Source: unknown TCP traffic detected without corresponding DNS query: 139.130.242.43
Source: unknown TCP traffic detected without corresponding DNS query: 139.130.242.43
Source: unknown TCP traffic detected without corresponding DNS query: 139.130.242.43
Source: unknown TCP traffic detected without corresponding DNS query: 83.169.36.251
Source: unknown TCP traffic detected without corresponding DNS query: 83.169.36.251
Source: svchost.exe, 00000007.00000003.749819500.000001F03E91D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000003.749819500.000001F03E91D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000007.00000003.749732970.000001F03E971000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000007.00000003.749732970.000001F03E971000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000007.00000003.749819500.000001F03E91D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",( equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000003.749819500.000001F03E91D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",( equals www.twitter.com (Twitter)
Source: svchost.exe, 00000007.00000003.749819500.000001F03E91D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000003.749819500.000001F03E91D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000007.00000003.744547553.000001F03E95E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","M` equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000003.744547553.000001F03E95E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","M` equals www.twitter.com (Twitter)
Source: svchost.exe, 00000007.00000003.744547553.000001F03E95E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","M` equals www.youtube.com (Youtube)
Source: svchost.exe, 00000007.00000003.743730837.000001F03E97E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000007.00000003.743730837.000001F03E97E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000007.00000003.743730837.000001F03E97E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000007.00000003.743650682.000001F03E974000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000007.00000003.743650682.000001F03E974000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000007.00000003.743650682.000001F03E974000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000007.00000003.743757547.000001F03E9B0000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000007.00000003.743757547.000001F03E9B0000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000007.00000003.743757547.000001F03E9B0000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000007.00000003.749819500.000001F03E91D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000003.749819500.000001F03E91D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000007.00000003.749732970.000001F03E971000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000007.00000003.749732970.000001F03E971000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000007.00000003.749819500.000001F03E91D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",( equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000003.749819500.000001F03E91D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",( equals www.twitter.com (Twitter)
Source: svchost.exe, 00000007.00000003.749819500.000001F03E91D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000003.749819500.000001F03E91D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000007.00000003.744547553.000001F03E95E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","M` equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000003.744547553.000001F03E95E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","M` equals www.twitter.com (Twitter)
Source: svchost.exe, 00000007.00000003.744547553.000001F03E95E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","M` equals www.youtube.com (Youtube)
Source: svchost.exe, 00000007.00000003.743730837.000001F03E97E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000007.00000003.743730837.000001F03E97E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000007.00000003.743730837.000001F03E97E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000007.00000003.743650682.000001F03E974000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000007.00000003.743650682.000001F03E974000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000007.00000003.743650682.000001F03E974000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":378738486,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6","PackageId":"07a1d8a1-8397-e482-20a2-bffb37866c1e-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.37.3702.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000007.00000003.743757547.000001F03E9B0000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000007.00000003.743757547.000001F03E9B0000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000007.00000003.743757547.000001F03E9B0000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: mfc100kor.exe, 00000002.00000002.922916445.0000000002B30000.00000004.00000001.sdmp, mfc100kor.exe, 00000002.00000002.922932566.0000000002B48000.00000004.00000001.sdmp String found in binary or memory: http://120.138.30.150:8080/1jEWda/A82WvTGxGu3aD5S0Dw/0h8shQ6ndpI7/0QUcn/FYbmKxTKcNKaOC5fv/
Source: mfc100kor.exe, 00000002.00000002.922932566.0000000002B48000.00000004.00000001.sdmp String found in binary or memory: http://70.121.172.89/0NIW31RWqZY0xkYFvrT/4UQNdJ/
Source: mfc100kor.exe, 00000002.00000002.922932566.0000000002B48000.00000004.00000001.sdmp String found in binary or memory: http://70.121.172.89/0NIW31RWqZY0xkYFvrT/4UQNdJ/Q_
Source: mfc100kor.exe, 00000002.00000002.922861234.0000000002914000.00000004.00000001.sdmp, mfc100kor.exe, 00000002.00000002.922932566.0000000002B48000.00000004.00000001.sdmp String found in binary or memory: http://83.169.36.251:8080/DPQoC99CgnXP8kS/LtMH9FkY/l5oLo5/QgEciUHzs03FUXl/
Source: mfc100kor.exe, 00000002.00000002.922916445.0000000002B30000.00000004.00000001.sdmp String found in binary or memory: http://83.169.36.251:8080/DPQoC99CgnXP8kS/LtMH9FkY/l5oLo5/QgEciUHzs03FUXl/bS/
Source: mfc100kor.exe, 00000002.00000002.922916445.0000000002B30000.00000004.00000001.sdmp String found in binary or memory: http://83.169.36.251:8080/DPQoC99CgnXP8kS/LtMH9FkY/l5oLo5/QgEciUHzs03FUXl/bS/G
Source: mfc100kor.exe, 00000002.00000002.922916445.0000000002B30000.00000004.00000001.sdmp String found in binary or memory: http://83.169.36.251:8080/DPQoC99CgnXP8kS/LtMH9FkY/l5oLo5/QgEciUHzs03FUXl/bS/i
Source: mfc100kor.exe, 00000002.00000002.922916445.0000000002B30000.00000004.00000001.sdmp String found in binary or memory: http://83.169.36.251:8080/DPQoC99CgnXP8kS/LtMH9FkY/l5oLo5/QgEciUHzs03FUXl/gq
Source: svchost.exe, 00000007.00000002.761406503.000001F03E070000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000007.00000002.761406503.000001F03E070000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000007.00000002.761406503.000001F03E070000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000007.00000002.761406503.000001F03E070000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000007.00000003.744361573.000001F03E95B000.00000004.00000001.sdmp String found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/9adabec7-728d-40ae-bc7c-edfdf7b55512/7c98a
Source: svchost.exe, 00000007.00000003.743757547.000001F03E9B0000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.743730837.000001F03E97E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.744547553.000001F03E95E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.743650682.000001F03E974000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000007.00000003.743757547.000001F03E9B0000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.743730837.000001F03E97E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.744547553.000001F03E95E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.743650682.000001F03E974000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000007.00000003.742721916.000001F03E9A7000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000007.00000003.742721916.000001F03E9A7000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: e5ad48f310b56ceb013a30be125d967e.exe String found in binary or memory: http://www.ucancode.net/
Source: e5ad48f310b56ceb013a30be125d967e.exe String found in binary or memory: http://www.ucancode.net/(R-%u
Source: svchost.exe, 00000007.00000003.748714900.000001F03E9A3000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.748593081.000001F03E983000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000007.00000003.748714900.000001F03E9A3000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.748593081.000001F03E983000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.748943930.000001F03E91D000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.748851536.000001F03E971000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000007.00000003.748714900.000001F03E9A3000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.748593081.000001F03E983000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000007.00000003.743757547.000001F03E9B0000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.743730837.000001F03E97E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.744547553.000001F03E95E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.743650682.000001F03E974000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 00000007.00000003.742721916.000001F03E9A7000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000007.00000003.742721916.000001F03E9A7000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000007.00000003.748714900.000001F03E9A3000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.748593081.000001F03E983000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000007.00000003.748714900.000001F03E9A3000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.748593081.000001F03E983000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: mfc100kor.exe, 00000002.00000002.922916445.0000000002B30000.00000004.00000001.sdmp, mfc100kor.exe, 00000002.00000002.922932566.0000000002B48000.00000004.00000001.sdmp String found in binary or memory: http://120.138.30.150:8080/1jEWda/A82WvTGxGu3aD5S0Dw/0h8shQ6ndpI7/0QUcn/FYbmKxTKcNKaOC5fv/
Source: mfc100kor.exe, 00000002.00000002.922932566.0000000002B48000.00000004.00000001.sdmp String found in binary or memory: http://70.121.172.89/0NIW31RWqZY0xkYFvrT/4UQNdJ/
Source: mfc100kor.exe, 00000002.00000002.922932566.0000000002B48000.00000004.00000001.sdmp String found in binary or memory: http://70.121.172.89/0NIW31RWqZY0xkYFvrT/4UQNdJ/Q_
Source: mfc100kor.exe, 00000002.00000002.922861234.0000000002914000.00000004.00000001.sdmp, mfc100kor.exe, 00000002.00000002.922932566.0000000002B48000.00000004.00000001.sdmp String found in binary or memory: http://83.169.36.251:8080/DPQoC99CgnXP8kS/LtMH9FkY/l5oLo5/QgEciUHzs03FUXl/
Source: mfc100kor.exe, 00000002.00000002.922916445.0000000002B30000.00000004.00000001.sdmp String found in binary or memory: http://83.169.36.251:8080/DPQoC99CgnXP8kS/LtMH9FkY/l5oLo5/QgEciUHzs03FUXl/bS/
Source: mfc100kor.exe, 00000002.00000002.922916445.0000000002B30000.00000004.00000001.sdmp String found in binary or memory: http://83.169.36.251:8080/DPQoC99CgnXP8kS/LtMH9FkY/l5oLo5/QgEciUHzs03FUXl/bS/G
Source: mfc100kor.exe, 00000002.00000002.922916445.0000000002B30000.00000004.00000001.sdmp String found in binary or memory: http://83.169.36.251:8080/DPQoC99CgnXP8kS/LtMH9FkY/l5oLo5/QgEciUHzs03FUXl/bS/i
Source: mfc100kor.exe, 00000002.00000002.922916445.0000000002B30000.00000004.00000001.sdmp String found in binary or memory: http://83.169.36.251:8080/DPQoC99CgnXP8kS/LtMH9FkY/l5oLo5/QgEciUHzs03FUXl/gq
Source: svchost.exe, 00000007.00000002.761406503.000001F03E070000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000007.00000002.761406503.000001F03E070000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000007.00000002.761406503.000001F03E070000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000007.00000002.761406503.000001F03E070000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000007.00000003.744361573.000001F03E95B000.00000004.00000001.sdmp String found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/9adabec7-728d-40ae-bc7c-edfdf7b55512/7c98a
Source: svchost.exe, 00000007.00000003.743757547.000001F03E9B0000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.743730837.000001F03E97E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.744547553.000001F03E95E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.743650682.000001F03E974000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000007.00000003.743757547.000001F03E9B0000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.743730837.000001F03E97E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.744547553.000001F03E95E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.743650682.000001F03E974000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000007.00000003.742721916.000001F03E9A7000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000007.00000003.742721916.000001F03E9A7000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: e5ad48f310b56ceb013a30be125d967e.exe String found in binary or memory: http://www.ucancode.net/
Source: e5ad48f310b56ceb013a30be125d967e.exe String found in binary or memory: http://www.ucancode.net/(R-%u
Source: svchost.exe, 00000007.00000003.748714900.000001F03E9A3000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.748593081.000001F03E983000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000007.00000003.748714900.000001F03E9A3000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.748593081.000001F03E983000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.748943930.000001F03E91D000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.748851536.000001F03E971000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000007.00000003.748714900.000001F03E9A3000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.748593081.000001F03E983000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000007.00000003.743757547.000001F03E9B0000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.743730837.000001F03E97E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.744547553.000001F03E95E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.743650682.000001F03E974000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 00000007.00000003.742721916.000001F03E9A7000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000007.00000003.742721916.000001F03E9A7000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000007.00000003.748714900.000001F03E9A3000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.748593081.000001F03E983000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000007.00000003.748714900.000001F03E9A3000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.748593081.000001F03E983000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0042156C GetKeyState,GetKeyState,GetKeyState,GetKeyState, 1_2_0042156C
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0041F578 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 1_2_0041F578
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0042156C GetKeyState,GetKeyState,GetKeyState,GetKeyState, 1_2_0042156C
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0041F578 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 1_2_0041F578
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_0042156C GetKeyState,GetKeyState,GetKeyState,GetKeyState, 2_2_0042156C
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_0041F578 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_0041F578

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000002.00000002.922258213.0000000002261000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.659571562.0000000002471000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.659525551.0000000002440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.659556247.0000000002454000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.922240285.0000000002244000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.921780876.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.e5ad48f310b56ceb013a30be125d967e.exe.2470000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.mfc100kor.exe.2260000.2.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_022625A0 CryptCreateHash,GetProcessHeap,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,GetProcessHeap,HeapFree, 2_2_022625A0
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_022625A0 CryptCreateHash,GetProcessHeap,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,GetProcessHeap,HeapFree, 2_2_022625A0

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe File created: C:\Windows\SysWOW64\AcWinRT\ Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe File created: C:\Windows\SysWOW64\AcWinRT\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe File deleted: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe File deleted: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0041C270 1_2_0041C270
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0041E906 1_2_0041E906
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00412A9F 1_2_00412A9F
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02477D00 1_2_02477D00
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02476350 1_2_02476350
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02477510 1_2_02477510
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02471C10 1_2_02471C10
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244989E 1_2_0244989E
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024490AE 1_2_024490AE
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02447EEE 1_2_02447EEE
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024437AE 1_2_024437AE
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0041C270 1_2_0041C270
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0041E906 1_2_0041E906
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00412A9F 1_2_00412A9F
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02477D00 1_2_02477D00
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02476350 1_2_02476350
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02477510 1_2_02477510
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02471C10 1_2_02471C10
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244989E 1_2_0244989E
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024490AE 1_2_024490AE
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02447EEE 1_2_02447EEE
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024437AE 1_2_024437AE
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_0041C270 2_2_0041C270
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_0041E906 2_2_0041E906
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_00412A9F 2_2_00412A9F
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02266350 2_2_02266350
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02267510 2_2_02267510
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02261C10 2_2_02261C10
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02267D00 2_2_02267D00
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: String function: 0040FDD8 appears 132 times
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: String function: 0040FDD8 appears 132 times
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: String function: 0040FDD8 appears 132 times
PE file contains strange resources
Source: e5ad48f310b56ceb013a30be125d967e.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: e5ad48f310b56ceb013a30be125d967e.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: e5ad48f310b56ceb013a30be125d967e.exe, 00000001.00000002.659640859.00000000026A0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs e5ad48f310b56ceb013a30be125d967e.exe
Source: e5ad48f310b56ceb013a30be125d967e.exe, 00000001.00000002.659514318.0000000002430000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs e5ad48f310b56ceb013a30be125d967e.exe
Source: e5ad48f310b56ceb013a30be125d967e.exe, 00000001.00000002.660300127.0000000002DF0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs e5ad48f310b56ceb013a30be125d967e.exe
Source: e5ad48f310b56ceb013a30be125d967e.exe, 00000001.00000002.660300127.0000000002DF0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs e5ad48f310b56ceb013a30be125d967e.exe
Source: e5ad48f310b56ceb013a30be125d967e.exe, 00000001.00000002.659640859.00000000026A0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs e5ad48f310b56ceb013a30be125d967e.exe
Source: e5ad48f310b56ceb013a30be125d967e.exe, 00000001.00000002.659514318.0000000002430000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs e5ad48f310b56ceb013a30be125d967e.exe
Source: e5ad48f310b56ceb013a30be125d967e.exe, 00000001.00000002.660300127.0000000002DF0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs e5ad48f310b56ceb013a30be125d967e.exe
Source: e5ad48f310b56ceb013a30be125d967e.exe, 00000001.00000002.660300127.0000000002DF0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs e5ad48f310b56ceb013a30be125d967e.exe
Source: classification engine Classification label: mal64.troj.evad.winEXE@7/0@0/7
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: CloseServiceHandle,CreateServiceW,OpenSCManagerW,_snwprintf,GetProcessHeap,HeapFree,CloseServiceHandle, 1_2_02478600
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: CloseServiceHandle,CreateServiceW,OpenSCManagerW,_snwprintf,GetProcessHeap,HeapFree,CloseServiceHandle, 1_2_02478600
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02264B50 Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,FindCloseChangeNotification, 2_2_02264B50
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02264B50 Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,FindCloseChangeNotification, 2_2_02264B50
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00421C03 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow, 1_2_00421C03
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00421C03 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow, 1_2_00421C03
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02474F10 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,HeapFree,RtlFreeHeap, 1_2_02474F10
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02474F10 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,HeapFree,RtlFreeHeap, 1_2_02474F10
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: e5ad48f310b56ceb013a30be125d967e.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: e5ad48f310b56ceb013a30be125d967e.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe 'C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe'
Source: unknown Process created: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Process created: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Jump to behavior
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe 'C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe'
Source: unknown Process created: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Process created: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0041FD50 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 1_2_0041FD50
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0041FD50 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 1_2_0041FD50
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00410B20 push eax; ret 1_2_00410B4E
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0040FDD8 push eax; ret 1_2_0040FDF6
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475B60 push ecx; mov dword ptr [esp], 0000D816h 1_2_02475B61
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475BE0 push ecx; mov dword ptr [esp], 000053E2h 1_2_02475BE1
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475BB0 push ecx; mov dword ptr [esp], 000037F7h 1_2_02475BB1
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475E20 push ecx; mov dword ptr [esp], 00004801h 1_2_02475E21
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475C60 push ecx; mov dword ptr [esp], 0000EF4Dh 1_2_02475C61
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475C10 push ecx; mov dword ptr [esp], 00009001h 1_2_02475C11
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475CC0 push ecx; mov dword ptr [esp], 0000C67Eh 1_2_02475CC1
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475D00 push ecx; mov dword ptr [esp], 00009B14h 1_2_02475D01
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475D30 push ecx; mov dword ptr [esp], 000021E7h 1_2_02475D31
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475DF0 push ecx; mov dword ptr [esp], 0000DCB3h 1_2_02475DF1
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475DB0 push ecx; mov dword ptr [esp], 0000A689h 1_2_02475DB1
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244785E push ecx; mov dword ptr [esp], 0000C67Eh 1_2_0244785F
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024478CE push ecx; mov dword ptr [esp], 000021E7h 1_2_024478CF
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244789E push ecx; mov dword ptr [esp], 00009B14h 1_2_0244789F
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244794E push ecx; mov dword ptr [esp], 0000A689h 1_2_0244794F
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244798E push ecx; mov dword ptr [esp], 0000DCB3h 1_2_0244798F
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024479BE push ecx; mov dword ptr [esp], 00004801h 1_2_024479BF
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024476FE push ecx; mov dword ptr [esp], 0000D816h 1_2_024476FF
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244774E push ecx; mov dword ptr [esp], 000037F7h 1_2_0244774F
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244777E push ecx; mov dword ptr [esp], 000053E2h 1_2_0244777F
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024477FE push ecx; mov dword ptr [esp], 0000EF4Dh 1_2_024477FF
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024477AE push ecx; mov dword ptr [esp], 00009001h 1_2_024477AF
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00410B20 push eax; ret 1_2_00410B4E
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0040FDD8 push eax; ret 1_2_0040FDF6
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475B60 push ecx; mov dword ptr [esp], 0000D816h 1_2_02475B61
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475BE0 push ecx; mov dword ptr [esp], 000053E2h 1_2_02475BE1
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475BB0 push ecx; mov dword ptr [esp], 000037F7h 1_2_02475BB1
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475E20 push ecx; mov dword ptr [esp], 00004801h 1_2_02475E21
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475C60 push ecx; mov dword ptr [esp], 0000EF4Dh 1_2_02475C61
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475C10 push ecx; mov dword ptr [esp], 00009001h 1_2_02475C11
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475CC0 push ecx; mov dword ptr [esp], 0000C67Eh 1_2_02475CC1
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475D00 push ecx; mov dword ptr [esp], 00009B14h 1_2_02475D01
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475D30 push ecx; mov dword ptr [esp], 000021E7h 1_2_02475D31
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475DF0 push ecx; mov dword ptr [esp], 0000DCB3h 1_2_02475DF1
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02475DB0 push ecx; mov dword ptr [esp], 0000A689h 1_2_02475DB1
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244785E push ecx; mov dword ptr [esp], 0000C67Eh 1_2_0244785F
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024478CE push ecx; mov dword ptr [esp], 000021E7h 1_2_024478CF
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244789E push ecx; mov dword ptr [esp], 00009B14h 1_2_0244789F
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244794E push ecx; mov dword ptr [esp], 0000A689h 1_2_0244794F
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244798E push ecx; mov dword ptr [esp], 0000DCB3h 1_2_0244798F
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024479BE push ecx; mov dword ptr [esp], 00004801h 1_2_024479BF
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024476FE push ecx; mov dword ptr [esp], 0000D816h 1_2_024476FF
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244774E push ecx; mov dword ptr [esp], 000037F7h 1_2_0244774F
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244777E push ecx; mov dword ptr [esp], 000053E2h 1_2_0244777F
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024477FE push ecx; mov dword ptr [esp], 0000EF4Dh 1_2_024477FF
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024477AE push ecx; mov dword ptr [esp], 00009001h 1_2_024477AF
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_00410B20 push eax; ret 2_2_00410B4E
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_0040FDD8 push eax; ret 2_2_0040FDF6
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02265B60 push ecx; mov dword ptr [esp], 0000D816h 2_2_02265B61
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02265BB0 push ecx; mov dword ptr [esp], 000037F7h 2_2_02265BB1
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02265BE0 push ecx; mov dword ptr [esp], 000053E2h 2_2_02265BE1
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02265E20 push ecx; mov dword ptr [esp], 00004801h 2_2_02265E21
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02265C10 push ecx; mov dword ptr [esp], 00009001h 2_2_02265C11

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Executable created and started: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Executable created and started: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe PE file moved: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe PE file moved: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe File opened: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe File opened: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0041A1D0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA, 1_2_0041A1D0
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0040777E IsIconic,GetWindowPlacement,GetWindowRect, 1_2_0040777E
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00419A20 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC, 1_2_00419A20
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00402C10 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 1_2_00402C10
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0041A1D0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA, 1_2_0041A1D0
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0040777E IsIconic,GetWindowPlacement,GetWindowRect, 1_2_0040777E
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00419A20 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC, 1_2_00419A20
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00402C10 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 1_2_00402C10
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_0041A1D0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA, 2_2_0041A1D0
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_0040777E IsIconic,GetWindowPlacement,GetWindowRect, 2_2_0040777E
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_00419A20 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC, 2_2_00419A20
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_00402C10 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 2_2_00402C10
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,HeapFree,RtlFreeHeap, 1_2_02474F10
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,HeapFree,RtlFreeHeap, 1_2_02474F10
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6612 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6612 Thread sleep time: -180000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00422DBE __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 1_2_00422DBE
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02473890 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 1_2_02473890
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00422DBE __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 1_2_00422DBE
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02473890 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 1_2_02473890
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_00422DBE __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 2_2_00422DBE
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02263890 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 2_2_02263890
Source: svchost.exe, 00000000.00000002.666443853.000001D90A860000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.716880260.000001A794940000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.731206101.000002266EB40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.763028173.000001F03F000000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: mfc100kor.exe, 00000002.00000002.922916445.0000000002B30000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWP
Source: mfc100kor.exe, 00000002.00000003.791759149.0000000002B56000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.761448495.000001F03E0AA000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000000.00000002.666443853.000001D90A860000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.716880260.000001A794940000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.731206101.000002266EB40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.763028173.000001F03F000000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000000.00000002.666443853.000001D90A860000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.716880260.000001A794940000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.731206101.000002266EB40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.763028173.000001F03F000000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000000.00000002.666443853.000001D90A860000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.716880260.000001A794940000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.731206101.000002266EB40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.763028173.000001F03F000000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000000.00000002.666443853.000001D90A860000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.716880260.000001A794940000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.731206101.000002266EB40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.763028173.000001F03F000000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: mfc100kor.exe, 00000002.00000002.922916445.0000000002B30000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWP
Source: mfc100kor.exe, 00000002.00000003.791759149.0000000002B56000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.761448495.000001F03E0AA000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000000.00000002.666443853.000001D90A860000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.716880260.000001A794940000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.731206101.000002266EB40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.763028173.000001F03F000000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000000.00000002.666443853.000001D90A860000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.716880260.000001A794940000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.731206101.000002266EB40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.763028173.000001F03F000000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000000.00000002.666443853.000001D90A860000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.716880260.000001A794940000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.731206101.000002266EB40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.763028173.000001F03F000000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0041FD50 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 1_2_0041FD50
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0041FD50 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 1_2_0041FD50
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02473E20 mov eax, dword ptr fs:[00000030h] 1_2_02473E20
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02474CC0 mov eax, dword ptr fs:[00000030h] 1_2_02474CC0
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244685E mov eax, dword ptr fs:[00000030h] 1_2_0244685E
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244095E mov eax, dword ptr fs:[00000030h] 1_2_0244095E
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024459BE mov eax, dword ptr fs:[00000030h] 1_2_024459BE
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02440456 mov eax, dword ptr fs:[00000030h] 1_2_02440456
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02451030 mov eax, dword ptr fs:[00000030h] 1_2_02451030
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02473E20 mov eax, dword ptr fs:[00000030h] 1_2_02473E20
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02474CC0 mov eax, dword ptr fs:[00000030h] 1_2_02474CC0
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244685E mov eax, dword ptr fs:[00000030h] 1_2_0244685E
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_0244095E mov eax, dword ptr fs:[00000030h] 1_2_0244095E
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024459BE mov eax, dword ptr fs:[00000030h] 1_2_024459BE
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02440456 mov eax, dword ptr fs:[00000030h] 1_2_02440456
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02451030 mov eax, dword ptr fs:[00000030h] 1_2_02451030
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02263E20 mov eax, dword ptr fs:[00000030h] 2_2_02263E20
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02264CC0 mov eax, dword ptr fs:[00000030h] 2_2_02264CC0
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_02241030 mov eax, dword ptr fs:[00000030h] 2_2_02241030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02473070 PathFindExtensionW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,lstrcpynW, 1_2_02473070
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_02473070 PathFindExtensionW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,lstrcpynW, 1_2_02473070
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_004146AA SetUnhandledExceptionFilter, 1_2_004146AA
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_004146BC SetUnhandledExceptionFilter, 1_2_004146BC
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_004146AA SetUnhandledExceptionFilter, 1_2_004146AA
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_004146BC SetUnhandledExceptionFilter, 1_2_004146BC
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_004146AA SetUnhandledExceptionFilter, 2_2_004146AA
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Code function: 2_2_004146BC SetUnhandledExceptionFilter, 2_2_004146BC
Source: mfc100kor.exe, 00000002.00000002.922163208.0000000000D30000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: mfc100kor.exe, 00000002.00000002.922163208.0000000000D30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: mfc100kor.exe, 00000002.00000002.922163208.0000000000D30000.00000002.00000001.sdmp Binary or memory string: Progman
Source: mfc100kor.exe, 00000002.00000002.922163208.0000000000D30000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: mfc100kor.exe, 00000002.00000002.922163208.0000000000D30000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: mfc100kor.exe, 00000002.00000002.922163208.0000000000D30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: mfc100kor.exe, 00000002.00000002.922163208.0000000000D30000.00000002.00000001.sdmp Binary or memory string: Progman
Source: mfc100kor.exe, 00000002.00000002.922163208.0000000000D30000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\AcWinRT\mfc100kor.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024780A0 GetModuleFileNameW,GetSystemTimeAsFileTime,CreateFileW,CreateFileW, 1_2_024780A0
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_024780A0 GetModuleFileNameW,GetSystemTimeAsFileTime,CreateFileW,CreateFileW, 1_2_024780A0
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00415963 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 1_2_00415963
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00415963 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 1_2_00415963
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00426581 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA, 1_2_00426581
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Code function: 1_2_00426581 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA, 1_2_00426581
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\e5ad48f310b56ceb013a30be125d967e.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000002.00000002.922258213.0000000002261000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.659571562.0000000002471000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.659525551.0000000002440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.659556247.0000000002454000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.922240285.0000000002244000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.921780876.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.e5ad48f310b56ceb013a30be125d967e.exe.2470000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.mfc100kor.exe.2260000.2.unpack, type: UNPACKEDPE