Loading ...

Play interactive tourEdit tour

Analysis Report 2ojdmC51As.exe

Overview

General Information

Sample Name:2ojdmC51As.exe
Analysis ID:319735
MD5:5804d97670dcdfab88ba830682355dad
SHA1:65c817fb511824fa185f34ecd744b836ed7a19eb
SHA256:4e885ada930e285a005c5211b8a652dc0eb11a06ccf530561afa88aefe99c9fc

Most interesting Screenshot:

Detection

Emotet
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 2ojdmC51As.exe (PID: 6240 cmdline: 'C:\Users\user\Desktop\2ojdmC51As.exe' MD5: 5804D97670DCDFAB88BA830682355DAD)
    • sort.exe (PID: 4564 cmdline: C:\Windows\SysWOW64\setupugc\sort.exe MD5: 5804D97670DCDFAB88BA830682355DAD)
  • svchost.exe (PID: 6680 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6748 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7124 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443", "200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.667768852.0000000000664000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000002.931663752.0000000002244000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.2ojdmC51As.exe.2230000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              1.2.sort.exe.2270000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443", "200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "
                Source: 00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443", "200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "
                Machine Learning detection for sampleShow sources
                Source: 2ojdmC51As.exeJoe Sandbox ML: detected
                Source: 2ojdmC51As.exeJoe Sandbox ML: detected
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02272650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02272290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02271FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02272650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02272290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02271FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004182CC FindFirstFileA,FindClose,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_022338F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004182CC FindFirstFileA,FindClose,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_022338F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_004182CC FindFirstFileA,FindClose,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_022738F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.4:49742 -> 200.116.145.225:443
                Source: TrafficSnort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.4:49742 -> 200.116.145.225:443
                Source: Joe Sandbox ViewASN Name: EPMTelecomunicacionesSAESPCO EPMTelecomunicacionesSAESPCO
                Source: Joe Sandbox ViewASN Name: EPMTelecomunicacionesSAESPCO EPMTelecomunicacionesSAESPCO
                Source: global trafficHTTP traffic detected: POST /0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 200.116.145.225/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------hcIbcONokUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 200.116.145.225:443Content-Length: 4628Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 200.116.145.225/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------hcIbcONokUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 200.116.145.225:443Content-Length: 4628Cache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 200.116.145.225
                Source: unknownTCP traffic detected without corresponding DNS query: 200.116.145.225
                Source: unknownTCP traffic detected without corresponding DNS query: 200.116.145.225
                Source: unknownTCP traffic detected without corresponding DNS query: 200.116.145.225
                Source: unknownTCP traffic detected without corresponding DNS query: 200.116.145.225
                Source: unknownTCP traffic detected without corresponding DNS query: 200.116.145.225
                Source: unknownTCP traffic detected without corresponding DNS query: 200.116.145.225
                Source: unknownTCP traffic detected without corresponding DNS query: 200.116.145.225
                Source: unknownTCP traffic detected without corresponding DNS query: 200.116.145.225
                Source: unknownTCP traffic detected without corresponding DNS query: 200.116.145.225
                Source: unknownTCP traffic detected without corresponding DNS query: 200.116.145.225
                Source: unknownTCP traffic detected without corresponding DNS query: 200.116.145.225
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_022729B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_022729B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,
                Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
                Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
                Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                Source: svchost.exe, 00000006.00000003.758971863.0000027873F66000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.facebook.com (Facebook)
                Source: svchost.exe, 00000006.00000003.758971863.0000027873F66000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.twitter.com (Twitter)
                Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
                Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
                Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z||.||18ebec36-1675-40c0-a5d4-25e9e774360f||1152921505692410033||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                Source: svchost.exe, 00000006.00000003.758971863.0000027873F66000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.facebook.com (Facebook)
                Source: svchost.exe, 00000006.00000003.758971863.0000027873F66000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.twitter.com (Twitter)
                Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                Source: unknownHTTP traffic detected: POST /0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 200.116.145.225/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------hcIbcONokUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 200.116.145.225:443Content-Length: 4628Cache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 200.116.145.225/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------hcIbcONokUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 200.116.145.225:443Content-Length: 4628Cache-Control: no-cache
                Source: sort.exe, 00000001.00000002.932263156.0000000002AA3000.00000004.00000001.sdmpString found in binary or memory: http://200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm
                Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmpString found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
                Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/privacy
                Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/terms
                Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
                Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758139074.0000027873F62000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
                Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
                Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
                Source: sort.exe, 00000001.00000002.932252355.0000000002A7F000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemet:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm
                Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/ca-privacy-rights
                Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/do-not-sell-my-info
                Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
                Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
                Source: sort.exe, 00000001.00000002.932263156.0000000002AA3000.00000004.00000001.sdmpString found in binary or memory: http://200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm
                Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmpString found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
                Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/privacy
                Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/terms
                Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
                Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758139074.0000027873F62000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
                Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
                Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
                Source: sort.exe, 00000001.00000002.932252355.0000000002A7F000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemet:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm
                Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/ca-privacy-rights
                Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/do-not-sell-my-info
                Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
                Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: 2ojdmC51As.exe, 00000000.00000002.667805094.000000000069A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: 2ojdmC51As.exe, 00000000.00000002.667805094.000000000069A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00422473 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00422488 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_0041580E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004238DC GetKeyState,GetKeyState,GetKeyState,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_0041E95F ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00412ABD GetKeyState,GetKeyState,GetKeyState,GetKeyState,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00410E05 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00422473 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00422488 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_0041580E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004238DC GetKeyState,GetKeyState,GetKeyState,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_0041E95F ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00412ABD GetKeyState,GetKeyState,GetKeyState,GetKeyState,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00410E05 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_00422473 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_00422488 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_0041580E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_004238DC GetKeyState,GetKeyState,GetKeyState,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_0041E95F ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_00412ABD GetKeyState,GetKeyState,GetKeyState,GetKeyState,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_00410E05 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.667768852.0000000000664000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.931663752.0000000002244000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.667721626.0000000000620000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0.2.2ojdmC51As.exe.2230000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.sort.exe.2270000.1.unpack, type: UNPACKEDPE
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02272650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02272650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeFile created: C:\Windows\SysWOW64\setupugc\Jump to behavior
                Source: C:\Users\user\Desktop\2ojdmC51As.exeFile created: C:\Windows\SysWOW64\setupugc\Jump to behavior
                Source: C:\Users\user\Desktop\2ojdmC51As.exeFile deleted: C:\Windows\SysWOW64\setupugc\sort.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\2ojdmC51As.exeFile deleted: C:\Windows\SysWOW64\setupugc\sort.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00408293
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004145CA
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02238240
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02237740
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02236530
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02233BA0
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02233F20
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02231C70
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02233D10
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00408293
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004145CA
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02238240
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02237740
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02236530
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02233BA0
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02233F20
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02231C70
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02233D10
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_00408293
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_004145CA
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02278240
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02277740
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02276530
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02273BA0
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02273F20
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02271C70
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02273D10
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02225ABE
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_0223F2F9
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_022292DE
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_0222380E
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_022258AE
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_022280CE
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_0222573E
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02229DDE
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: String function: 00406520 appears 174 times
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: String function: 00405626 appears 49 times
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: String function: 00406520 appears 174 times
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: String function: 00405626 appears 49 times
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: String function: 00406520 appears 168 times
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: String function: 00405626 appears 44 times
                Source: 2ojdmC51As.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 2ojdmC51As.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 2ojdmC51As.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 2ojdmC51As.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 2ojdmC51As.exe, 00000000.00000000.665451688.000000000043C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe
                Source: 2ojdmC51As.exe, 00000000.00000002.668209951.0000000002640000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 2ojdmC51As.exe
                Source: 2ojdmC51As.exe, 00000000.00000002.668209951.0000000002640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2ojdmC51As.exe
                Source: 2ojdmC51As.exe, 00000000.00000002.668161072.00000000025E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 2ojdmC51As.exe
                Source: 2ojdmC51As.exeBinary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe
                Source: 2ojdmC51As.exe, 00000000.00000000.665451688.000000000043C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe
                Source: 2ojdmC51As.exe, 00000000.00000002.668209951.0000000002640000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 2ojdmC51As.exe
                Source: 2ojdmC51As.exe, 00000000.00000002.668209951.0000000002640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2ojdmC51As.exe
                Source: 2ojdmC51As.exe, 00000000.00000002.668161072.00000000025E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 2ojdmC51As.exe
                Source: 2ojdmC51As.exeBinary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe
                Source: classification engineClassification label: mal80.troj.evad.winEXE@6/0@0/2
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00418C88 __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00418C88 __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02274CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02274CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00412121 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00412121 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,
                Source: 2ojdmC51As.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 2ojdmC51As.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\2ojdmC51As.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\2ojdmC51As.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\2ojdmC51As.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Users\user\Desktop\2ojdmC51As.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\2ojdmC51As.exe 'C:\Users\user\Desktop\2ojdmC51As.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\setupugc\sort.exe C:\Windows\SysWOW64\setupugc\sort.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: C:\Users\user\Desktop\2ojdmC51As.exeProcess created: C:\Windows\SysWOW64\setupugc\sort.exe C:\Windows\SysWOW64\setupugc\sort.exe
                Source: unknownProcess created: C:\Users\user\Desktop\2ojdmC51As.exe 'C:\Users\user\Desktop\2ojdmC51As.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\setupugc\sort.exe C:\Windows\SysWOW64\setupugc\sort.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: C:\Users\user\Desktop\2ojdmC51As.exeProcess created: C:\Windows\SysWOW64\setupugc\sort.exe C:\Windows\SysWOW64\setupugc\sort.exe
                Source: C:\Users\user\Desktop\2ojdmC51As.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                Source: C:\Users\user\Desktop\2ojdmC51As.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,
                Source: 2ojdmC51As.exeStatic PE information: real checksum: 0x69574 should be: 0x6a2b7
                Source: 2ojdmC51As.exeStatic PE information: real checksum: 0x69574 should be: 0x6a2b7
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00406520 push eax; ret
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00406830 push eax; ret
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235E10 push ecx; mov dword ptr [esp], 0000F5B3h
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235EA0 push ecx; mov dword ptr [esp], 0000A3FDh
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235EF0 push ecx; mov dword ptr [esp], 0000669Ch
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235F20 push ecx; mov dword ptr [esp], 0000E36Ch
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235CD0 push ecx; mov dword ptr [esp], 00001CE1h
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235D20 push ecx; mov dword ptr [esp], 0000C5A1h
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235D00 push ecx; mov dword ptr [esp], 00001F9Eh
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235D50 push ecx; mov dword ptr [esp], 00006847h
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235D90 push ecx; mov dword ptr [esp], 0000B2E0h
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235DF0 push ecx; mov dword ptr [esp], 0000AAF5h
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235DC0 push ecx; mov dword ptr [esp], 000089FAh
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00406520 push eax; ret
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00406830 push eax; ret
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235E10 push ecx; mov dword ptr [esp], 0000F5B3h
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235EA0 push ecx; mov dword ptr [esp], 0000A3FDh
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235EF0 push ecx; mov dword ptr [esp], 0000669Ch
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235F20 push ecx; mov dword ptr [esp], 0000E36Ch
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235CD0 push ecx; mov dword ptr [esp], 00001CE1h
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235D20 push ecx; mov dword ptr [esp], 0000C5A1h
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235D00 push ecx; mov dword ptr [esp], 00001F9Eh
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235D50 push ecx; mov dword ptr [esp], 00006847h
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235D90 push ecx; mov dword ptr [esp], 0000B2E0h
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235DF0 push ecx; mov dword ptr [esp], 0000AAF5h
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02235DC0 push ecx; mov dword ptr [esp], 000089FAh
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_00406520 push eax; ret
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_00406830 push eax; ret
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02275E10 push ecx; mov dword ptr [esp], 0000F5B3h
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02275EA0 push ecx; mov dword ptr [esp], 0000A3FDh
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02275EF0 push ecx; mov dword ptr [esp], 0000669Ch
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02275F20 push ecx; mov dword ptr [esp], 0000E36Ch
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02275CD0 push ecx; mov dword ptr [esp], 00001CE1h
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02275D20 push ecx; mov dword ptr [esp], 0000C5A1h
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02275D00 push ecx; mov dword ptr [esp], 00001F9Eh
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02275D50 push ecx; mov dword ptr [esp], 00006847h
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02275D90 push ecx; mov dword ptr [esp], 0000B2E0h
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02275DF0 push ecx; mov dword ptr [esp], 0000AAF5h
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02275DC0 push ecx; mov dword ptr [esp], 000089FAh
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_0223EA26 push ebp; iretd
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02227A3E push ecx; mov dword ptr [esp], 0000A3FDh
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02227ABE push ecx; mov dword ptr [esp], 0000E36Ch
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_0223EA8B push edi; ret
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02227A8E push ecx; mov dword ptr [esp], 0000669Ch

                Persistence and Installation Behavior:

                barindex
                Drops executables to the windows directory (C:\Windows) and starts themShow sources
                Source: C:\Users\user\Desktop\2ojdmC51As.exeExecutable created and started: C:\Windows\SysWOW64\setupugc\sort.exe
                Source: C:\Users\user\Desktop\2ojdmC51As.exeExecutable created and started: C:\Windows\SysWOW64\setupugc\sort.exe
                Source: C:\Users\user\Desktop\2ojdmC51As.exePE file moved: C:\Windows\SysWOW64\setupugc\sort.exeJump to behavior
                Source: C:\Users\user\Desktop\2ojdmC51As.exePE file moved: C:\Windows\SysWOW64\setupugc\sort.exeJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\Desktop\2ojdmC51As.exeFile opened: C:\Windows\SysWOW64\setupugc\sort.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\Desktop\2ojdmC51As.exeFile opened: C:\Windows\SysWOW64\setupugc\sort.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_0042252B IsWindowVisible,IsIconic,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004198B0 GetParent,GetParent,GetParent,IsIconic,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00404F00 IsIconic,GetWindowPlacement,GetWindowRect,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_0042252B IsWindowVisible,IsIconic,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004198B0 GetParent,GetParent,GetParent,IsIconic,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00404F00 IsIconic,GetWindowPlacement,GetWindowRect,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_0042252B IsWindowVisible,IsIconic,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_004198B0 GetParent,GetParent,GetParent,IsIconic,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_00404F00 IsIconic,GetWindowPlacement,GetWindowRect,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\2ojdmC51As.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\2ojdmC51As.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\setupugc\sort.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\setupugc\sort.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\setupugc\sort.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\setupugc\sort.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\setupugc\sort.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\2ojdmC51As.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\2ojdmC51As.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\2ojdmC51As.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\setupugc\sort.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\setupugc\sort.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\setupugc\sort.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\setupugc\sort.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\setupugc\sort.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                Source: C:\Users\user\Desktop\2ojdmC51As.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                Source: C:\Users\user\Desktop\2ojdmC51As.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                Source: C:\Users\user\Desktop\2ojdmC51As.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\2ojdmC51As.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeAPI coverage: 3.2 %
                Source: C:\Windows\SysWOW64\setupugc\sort.exeAPI coverage: 4.8 %
                Source: C:\Users\user\Desktop\2ojdmC51As.exeAPI coverage: 3.2 %
                Source: C:\Windows\SysWOW64\setupugc\sort.exeAPI coverage: 4.8 %
                Source: C:\Windows\System32\svchost.exe TID: 5820Thread sleep time: -150000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 5820Thread sleep time: -150000s >= -30000s
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\2ojdmC51As.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\Desktop\2ojdmC51As.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004182CC FindFirstFileA,FindClose,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_022338F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004182CC FindFirstFileA,FindClose,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_022338F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_004182CC FindFirstFileA,FindClose,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_022738F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,
                Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: sort.exe, 00000001.00000002.932241533.0000000002A70000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: sort.exe, 00000001.00000002.932241533.0000000002A70000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\SysWOW64\setupugc\sort.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\SysWOW64\setupugc\sort.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\SysWOW64\setupugc\sort.exeProcess information queried: ProcessInformation
                Source: C:\Windows\SysWOW64\setupugc\sort.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02234E20 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02233F20 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02234E20 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_02233F20 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02274E20 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02273F20 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02225ABE mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_0222095E mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_022269BE mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02220456 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_02241030 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_022342F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_022342F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00409C36 SetUnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00409C48 SetUnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00409C36 SetUnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00409C48 SetUnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_00409C36 SetUnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeCode function: 1_2_00409C48 SetUnhandledExceptionFilter,
                Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Windows\SysWOW64\setupugc\sort.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\setupugc\sort.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00425FF1 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,
                Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00425FF1 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,
                Source: C:\Windows\SysWOW64\setupugc\sort.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Windows\SysWOW64\setupugc\sort.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.667768852.0000000000664000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.931663752.0000000002244000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.667721626.0000000000620000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0.2.2ojdmC51As.exe.2230000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.sort.exe.2270000.1.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsService Execution1Windows Service2Windows Service2Masquerading12Input Capture2System Time Discovery2Remote ServicesInput Capture2Exfiltration Over Other Network MediumEncrypted Channel22Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
                Default AccountsNative API11Boot or Logon Initialization ScriptsProcess Injection2Virtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Service Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery16Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                2ojdmC51As.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                0.2.2ojdmC51As.exe.2230000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                1.2.sort.exe.2270000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm0%Avira URL Cloudsafe
                https://200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/0%Avira URL Cloudsafe
                https://watson.telemet:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/true
                • Avira URL Cloud: safe
                unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.hulu.com/privacysvchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmpfalse
                  high
                  http://200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYmsort.exe, 00000001.00000002.932263156.0000000002AA3000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.g5e.com/G5_End_User_License_Supplemental_Termssvchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmpfalse
                    high
                    https://www.hulu.com/do-not-sell-my-infosvchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmpfalse
                      high
                      http://www.hulu.com/termssvchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmpfalse
                        high
                        https://corp.roblox.com/contact/svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmpfalse
                          high
                          https://www.roblox.com/developsvchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmpfalse
                            high
                            http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmpfalse
                              high
                              https://instagram.com/hiddencity_svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmpfalse
                                high
                                https://watson.telemet:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYmsort.exe, 00000001.00000002.932252355.0000000002A7F000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://www.roblox.com/info/privacysvchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.g5e.com/termsofservicesvchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmpfalse
                                    high
                                    https://en.help.roblox.com/hc/en-ussvchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmpfalse
                                      high
                                      https://corp.roblox.com/parents/svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758139074.0000027873F62000.00000004.00000001.sdmpfalse
                                        high
                                        https://www.hulu.com/ca-privacy-rightssvchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmpfalse
                                          high

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          200.116.145.225
                                          unknownColombia
                                          13489EPMTelecomunicacionesSAESPCOtrue

                                          Private

                                          IP
                                          192.168.2.1

                                          General Information

                                          Joe Sandbox Version:31.0.0 Red Diamond
                                          Analysis ID:319735
                                          Start date:18.11.2020
                                          Start time:15:59:41
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 7m 38s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:2ojdmC51As.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:14
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal80.troj.evad.winEXE@6/0@0/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:
                                          • Successful, ratio: 65.4% (good quality ratio 64.7%)
                                          • Quality average: 85%
                                          • Quality standard deviation: 22.1%
                                          HCA Information:
                                          • Successful, ratio: 86%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 168.61.161.212, 13.88.21.125, 51.104.139.180, 52.155.217.156, 20.54.26.129, 67.26.137.254, 8.241.11.126, 8.248.133.254, 8.253.204.249, 8.253.204.121, 92.122.213.247, 92.122.213.194, 51.11.168.160
                                          • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/319735/sample/2ojdmC51As.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          16:01:17API Interceptor10x Sleep call for process: svchost.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          200.116.145.225GM8716863026AA.docGet hashmaliciousBrowse
                                          • 200.116.145.225:443/eHRi0AsvmChNb0B/Sq2LBDG3K/dHE8SMLlJOlFGym/g6iocDdP0QPHR/

                                          Domains

                                          No context

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          EPMTelecomunicacionesSAESPCOA8732vSTKW.exeGet hashmaliciousBrowse
                                          • 181.129.134.18
                                          pIxnU8KH8P.exeGet hashmaliciousBrowse
                                          • 181.129.134.18
                                          4UwAHMfQ1s.exeGet hashmaliciousBrowse
                                          • 181.129.104.139
                                          8vjs9LBNaU.exeGet hashmaliciousBrowse
                                          • 181.129.134.18
                                          zL474n0Mst.exeGet hashmaliciousBrowse
                                          • 200.116.145.225
                                          z9dSgDlbe1.exeGet hashmaliciousBrowse
                                          • 200.116.145.225
                                          0FzZuRH6Gy.exeGet hashmaliciousBrowse
                                          • 200.116.145.225
                                          JdjCbjCf.exeGet hashmaliciousBrowse
                                          • 201.232.179.81
                                          qwhWqUYlnN.exeGet hashmaliciousBrowse
                                          • 181.143.194.138
                                          7U0Y1bRt9b.exeGet hashmaliciousBrowse
                                          • 200.116.232.186
                                          zLjBdL6Lbk.exeGet hashmaliciousBrowse
                                          • 181.129.93.226
                                          GM8716863026AA.docGet hashmaliciousBrowse
                                          • 200.116.145.225
                                          a.exeGet hashmaliciousBrowse
                                          • 200.122.209.78
                                          SecuriteInfo.com.Trojan.GenericKDZ.69690.30809.exeGet hashmaliciousBrowse
                                          • 181.129.104.139
                                          SecuriteInfo.com.Trojan.GenericKDZ.69690.25514.exeGet hashmaliciousBrowse
                                          • 181.129.134.18
                                          Archivo Pdf.exeGet hashmaliciousBrowse
                                          • 181.140.213.213
                                          14082020 PDF.exeGet hashmaliciousBrowse
                                          • 181.140.213.213
                                          Solicitud.exeGet hashmaliciousBrowse
                                          • 181.140.213.213
                                          CITA FISCAL N#U00ba 00964673335 15 ABRIL DE 2020.exeGet hashmaliciousBrowse
                                          • 181.141.10.15
                                          9459cddst.exeGet hashmaliciousBrowse
                                          • 200.116.232.186

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Entropy (8bit):7.0032331918802715
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.83%
                                          • Windows Screen Saver (13104/52) 0.13%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:2ojdmC51As.exe
                                          File size:376832
                                          MD5:5804d97670dcdfab88ba830682355dad
                                          SHA1:65c817fb511824fa185f34ecd744b836ed7a19eb
                                          SHA256:4e885ada930e285a005c5211b8a652dc0eb11a06ccf530561afa88aefe99c9fc
                                          SHA512:befd479d37ff5bef768d61aeec101b4f584e8519f4b3d60f6f0692614ce8925a8303ae478b4d21652b64bc36bc38e9df2eb44d874c2f973f310f2e8ff2a0c7a4
                                          SSDEEP:6144:HzoTjUrx4KVHa9eUfTLHy2VrH0D+wieIMl7lT2IcO/wksAPJLzx:ToCHVcjZwie57l6i/wi
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........!..`r..`r..`r..`r..`r..sr..`r..as..`r..arC.`rp.nr..`r..jr..`r..kr..`rK.fr..`rRich..`r................PE..L......_...........

                                          File Icon

                                          Icon Hash:71b018ccc6577131

                                          Static PE Info

                                          General

                                          Entrypoint:0x406388
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                          DLL Characteristics:
                                          Time Stamp:0x5F920784 [Thu Oct 22 22:28:20 2020 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:875a1634331d344707689db6d9489063

                                          Entrypoint Preview

                                          Instruction
                                          push ebp
                                          mov ebp, esp
                                          push FFFFFFFFh
                                          push 0042F100h
                                          push 00409800h
                                          mov eax, dword ptr fs:[00000000h]
                                          push eax
                                          mov dword ptr fs:[00000000h], esp
                                          sub esp, 58h
                                          push ebx
                                          push esi
                                          push edi
                                          mov dword ptr [ebp-18h], esp
                                          call dword ptr [0042B2CCh]
                                          xor edx, edx
                                          mov dl, ah
                                          mov dword ptr [00439D04h], edx
                                          mov ecx, eax
                                          and ecx, 000000FFh
                                          mov dword ptr [00439D00h], ecx
                                          shl ecx, 08h
                                          add ecx, edx
                                          mov dword ptr [00439CFCh], ecx
                                          shr eax, 10h
                                          mov dword ptr [00439CF8h], eax
                                          push 00000001h
                                          call 00007F25005A0C0Eh
                                          pop ecx
                                          test eax, eax
                                          jne 00007F250059F68Ah
                                          push 0000001Ch
                                          call 00007F250059F748h
                                          pop ecx
                                          call 00007F25005A2079h
                                          test eax, eax
                                          jne 00007F250059F68Ah
                                          push 00000010h
                                          call 00007F250059F737h
                                          pop ecx
                                          xor esi, esi
                                          mov dword ptr [ebp-04h], esi
                                          call 00007F25005A28B2h
                                          call dword ptr [0042B1D0h]
                                          mov dword ptr [0043B87Ch], eax
                                          call 00007F25005A2770h
                                          mov dword ptr [00439CE8h], eax
                                          call 00007F25005A2519h
                                          call 00007F25005A245Bh
                                          call 00007F250059F86Ch
                                          mov dword ptr [ebp-30h], esi
                                          lea eax, dword ptr [ebp-5Ch]
                                          push eax
                                          call dword ptr [0042B1D4h]
                                          call 00007F25005A23ECh
                                          mov dword ptr [ebp-64h], eax
                                          test byte ptr [ebp-30h], 00000001h
                                          je 00007F250059F688h
                                          movzx eax, word ptr [ebp+00h]

                                          Rich Headers

                                          Programming Language:
                                          • [ C ] VS98 (6.0) build 8168
                                          • [RES] VS98 (6.0) cvtres build 1720
                                          • [C++] VS98 (6.0) build 8168

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x33a680xb4.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x23812.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x5c8.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x29ef10x2a000False0.574718656994data6.56296579611IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rdata0x2b0000xa8be0xb000False0.309792258523data4.42786700159IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x360000x58900x2000False0.253784179688data3.64382398996IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                          .rsrc0x3c0000x238120x24000False0.909579806858data7.73501222548IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_CURSOR0x3c8e00x134dataEnglishUnited States
                                          RT_CURSOR0x3ca140xb4dataEnglishUnited States
                                          RT_CURSOR0x3cac80x134dataEnglishUnited States
                                          RT_CURSOR0x3cbfc0xb4dataEnglishUnited States
                                          RT_ICON0x3ccb00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676EnglishUnited States
                                          RT_ICON0x3cf980x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                          RT_ICON0x3d0c00x2e8dataEnglishUnited States
                                          RT_ICON0x3d3a80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                          RT_MENU0x3d4d00x23edataEnglishUnited States
                                          RT_STRING0x3d7100x90dataEnglishUnited States
                                          RT_STRING0x3d7a00x3edataEnglishUnited States
                                          RT_STRING0x3d7e00x296dataEnglishUnited States
                                          RT_STRING0x3da780x260dataEnglishUnited States
                                          RT_STRING0x3dcd80x328dataEnglishUnited States
                                          RT_STRING0x3e0000x70dataEnglishUnited States
                                          RT_STRING0x3e0700x106dataEnglishUnited States
                                          RT_STRING0x3e1780xdadataEnglishUnited States
                                          RT_STRING0x3e2540x46dataEnglishUnited States
                                          RT_STRING0x3e29c0xc6dataEnglishUnited States
                                          RT_STRING0x3e3640x1f8dataEnglishUnited States
                                          RT_STRING0x3e55c0x86dataEnglishUnited States
                                          RT_STRING0x3e5e40xd0dataEnglishUnited States
                                          RT_STRING0x3e6b40x2adataEnglishUnited States
                                          RT_STRING0x3e6e00x14adataEnglishUnited States
                                          RT_STRING0x3e82c0x124dataEnglishUnited States
                                          RT_STRING0x3e9500x4e2dataEnglishUnited States
                                          RT_STRING0x3ee340x2a2dataEnglishUnited States
                                          RT_STRING0x3f0d80x2dcdataEnglishUnited States
                                          RT_STRING0x3f3b40xacdataEnglishUnited States
                                          RT_STRING0x3f4600xdedataEnglishUnited States
                                          RT_STRING0x3f5400x4c4dataEnglishUnited States
                                          RT_STRING0x3fa040x264dataEnglishUnited States
                                          RT_STRING0x3fc680x2cdataEnglishUnited States
                                          RT_ACCELERATOR0x3fc940x70dataEnglishUnited States
                                          RT_ACCELERATOR0x3fd040x18dataEnglishUnited States
                                          RT_RCDATA0x3fd1c0x1f733dataEnglishUnited States
                                          RT_GROUP_CURSOR0x5f4500x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                          RT_GROUP_CURSOR0x5f4740x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                          RT_GROUP_ICON0x5f4980x22dataEnglishUnited States
                                          RT_GROUP_ICON0x5f4bc0x22dataEnglishUnited States
                                          RT_VERSION0x5f4e00x314dataEnglishUnited States
                                          None0x5f7f40x1edataEnglishUnited States

                                          Imports

                                          DLLImport
                                          KERNEL32.dllVirtualFree, IsBadWritePtr, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, SetUnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, HeapCreate, IsBadCodePtr, SetStdHandle, CompareStringA, CompareStringW, SetEnvironmentVariableA, HeapDestroy, GetACP, HeapSize, HeapReAlloc, RaiseException, TerminateProcess, ExitProcess, GetCommandLineA, GetStartupInfoA, HeapFree, InterlockedExchange, GetLocalTime, GetSystemTime, GetTimeZoneInformation, RtlUnwind, HeapAlloc, FileTimeToLocalFileTime, FileTimeToSystemTime, SetErrorMode, SystemTimeToFileTime, LocalFileTimeToFileTime, GetFileSize, GetVolumeInformationA, FindFirstFileA, FindClose, DeleteFileA, MoveFileA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileA, DuplicateHandle, GetOEMCP, GetCPInfo, GetProcessVersion, WritePrivateProfileStringA, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, GlobalHandle, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, LocalFree, LocalAlloc, WideCharToMultiByte, InterlockedIncrement, GlobalFlags, InterlockedDecrement, GetLastError, SetLastError, MulDiv, lstrlenA, MultiByteToWideChar, GetDiskFreeSpaceA, GetFileTime, SetFileTime, GetFullPathNameA, GetTempFileNameA, lstrcpynA, GetFileAttributesA, FreeLibrary, GetVersion, lstrcatA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, lstrcpyA, GetModuleHandleA, CloseHandle, GetModuleFileNameA, GlobalAlloc, GlobalDeleteAtom, lstrcmpiA, GetCurrentThread, GetCurrentThreadId, lstrcmpA, GlobalLock, GlobalUnlock, GlobalFree, LockResource, FindResourceA, LoadResource, GetTickCount, Sleep, LoadLibraryA, VirtualAlloc, GetModuleHandleExA, GetProcAddress, GetCurrentProcess, IsBadReadPtr
                                          USER32.dllTranslateAcceleratorA, ReleaseCapture, GetDesktopWindow, DestroyMenu, LoadMenuA, SetMenu, ReuseDDElParam, UnpackDDElParam, BringWindowToTop, ClientToScreen, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, IsZoomed, SetParent, IsRectEmpty, AppendMenuA, DeleteMenu, GetSystemMenu, GetClassNameA, GetSysColorBrush, LoadStringA, CharUpperA, FindWindowA, GetTabbedTextExtentA, KillTimer, WindowFromPoint, InflateRect, SetCapture, InvertRect, GetDCEx, LockWindowUpdate, GetDC, ReleaseDC, LoadCursorA, DestroyCursor, ShowWindow, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, LoadIconA, UpdateWindow, SendDlgItemMessageA, MapWindowPoints, GetSysColor, SetFocus, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, BeginDeferWindowPos, CopyRect, EndDeferWindowPos, ScrollWindow, GetScrollInfo, LoadAcceleratorsA, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, GetTopWindow, IsChild, GetCapture, WinHelpA, wsprintfA, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, GetWindowTextLengthA, GetWindowTextA, GetDlgCtrlID, DefWindowProcA, CreateWindowExA, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, CallWindowProcA, RemovePropA, GetMessageTime, GetMessagePos, GetForegroundWindow, SetForegroundWindow, GetWindow, SetWindowLongA, SetWindowPos, RegisterWindowMessageA, OffsetRect, IntersectRect, SystemParametersInfoA, IsIconic, GetWindowPlacement, GetWindowRect, GetMenuCheckMarkDimensions, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetKeyState, CallNextHookEx, ValidateRect, IsWindowVisible, GetCursorPos, SetWindowsHookExA, GetLastActivePopup, MessageBoxA, SetCursor, ShowOwnedPopups, PostMessageA, PostQuitMessage, GetNextDlgTabItem, EndDialog, GetActiveWindow, SetActiveWindow, IsWindow, GetSystemMetrics, CreateDialogIndirectParamA, DestroyWindow, GetParent, GetWindowLongA, GetDlgItem, IsWindowEnabled, SetRectEmpty, PtInRect, FillRect, SetScrollInfo, SetRect, SendMessageA, PeekMessageA, GetMessageA, TranslateMessage, DispatchMessageA, SetTimer, InvalidateRect, GetClientRect, LoadBitmapA, EnableWindow, GetMenuItemID, UnregisterClassA
                                          GDI32.dllGetDeviceCaps, PatBlt, GetStockObject, Rectangle, DPtoLP, CreatePen, GetViewportOrgEx, AbortDoc, EndDoc, EndPage, StartPage, StartDocA, SetAbortProc, CreateDCA, SaveDC, RestoreDC, SetBkMode, SetPolyFillMode, SetROP2, SetStretchBltMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, SelectClipRgn, ExcludeClipRect, IntersectClipRect, MoveToEx, LineTo, SetTextAlign, GetCurrentPositionEx, GetObjectA, CreateRectRgn, GetViewportExtEx, GetWindowExtEx, CreateSolidBrush, CreatePatternBrush, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetTextExtentPoint32A, GetTextMetricsA, StretchDIBits, GetCharWidthA, CreateFontA, CreateFontIndirectA, LPtoDP, GetBkColor, GetNearestColor, GetTextColor, GetStretchBltMode, GetPolyFillMode, GetTextAlign, GetBkMode, GetROP2, GetTextFaceA, GetWindowOrgEx, SetRectRgn, CombineRgn, CreateRectRgnIndirect, SetTextColor, SetBkColor, GetClipBox, CreateBitmap, CreateCompatibleBitmap, SelectObject, StretchBlt, DeleteObject, DeleteDC, BitBlt, CreateCompatibleDC
                                          comdlg32.dllGetFileTitleA, PrintDlgA, CommDlgExtendedError, GetSaveFileNameA, GetOpenFileNameA
                                          WINSPOOL.DRVOpenPrinterA, DocumentPropertiesA, ClosePrinter
                                          ADVAPI32.dllRegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, GetFileSecurityA, SetFileSecurityA, RegSetValueExA
                                          SHELL32.dllDragQueryFileA, DragFinish
                                          COMCTL32.dll

                                          Version Infos

                                          DescriptionData
                                          LegalCopyrightCopyright (C) 2003
                                          InternalNameEffectDemo
                                          FileVersion1, 0, 0, 1
                                          CompanyName
                                          LegalTrademarks
                                          ProductNameEffectDemo Application
                                          ProductVersion1, 0, 0, 1
                                          FileDescriptionEffectDemo MFC Application
                                          OriginalFilenameEffectDemo.EXE
                                          Translation0x0409 0x04b0

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          11/18/20-16:00:56.201479TCP2404324ET CNC Feodo Tracker Reported CnC Server TCP group 1349742443192.168.2.4200.116.145.225

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 18, 2020 16:00:56.201478958 CET49742443192.168.2.4200.116.145.225
                                          Nov 18, 2020 16:00:56.396552086 CET44349742200.116.145.225192.168.2.4
                                          Nov 18, 2020 16:00:56.396764040 CET49742443192.168.2.4200.116.145.225
                                          Nov 18, 2020 16:00:56.398037910 CET49742443192.168.2.4200.116.145.225
                                          Nov 18, 2020 16:00:56.398277044 CET49742443192.168.2.4200.116.145.225
                                          Nov 18, 2020 16:00:56.595930099 CET44349742200.116.145.225192.168.2.4
                                          Nov 18, 2020 16:00:56.595947981 CET44349742200.116.145.225192.168.2.4
                                          Nov 18, 2020 16:00:56.783943892 CET44349742200.116.145.225192.168.2.4
                                          Nov 18, 2020 16:00:57.383925915 CET44349742200.116.145.225192.168.2.4
                                          Nov 18, 2020 16:00:57.384022951 CET49742443192.168.2.4200.116.145.225
                                          Nov 18, 2020 16:02:02.399162054 CET44349742200.116.145.225192.168.2.4
                                          Nov 18, 2020 16:02:02.399306059 CET49742443192.168.2.4200.116.145.225

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 18, 2020 16:00:33.099268913 CET5299153192.168.2.48.8.8.8
                                          Nov 18, 2020 16:00:33.134911060 CET53529918.8.8.8192.168.2.4
                                          Nov 18, 2020 16:00:33.932281017 CET5370053192.168.2.48.8.8.8
                                          Nov 18, 2020 16:00:33.959232092 CET53537008.8.8.8192.168.2.4
                                          Nov 18, 2020 16:00:35.197410107 CET5172653192.168.2.48.8.8.8
                                          Nov 18, 2020 16:00:35.224631071 CET53517268.8.8.8192.168.2.4
                                          Nov 18, 2020 16:00:35.978636026 CET5679453192.168.2.48.8.8.8
                                          Nov 18, 2020 16:00:36.005954027 CET53567948.8.8.8192.168.2.4
                                          Nov 18, 2020 16:00:37.021862030 CET5653453192.168.2.48.8.8.8
                                          Nov 18, 2020 16:00:37.048950911 CET53565348.8.8.8192.168.2.4
                                          Nov 18, 2020 16:00:38.367702007 CET5662753192.168.2.48.8.8.8
                                          Nov 18, 2020 16:00:38.394817114 CET53566278.8.8.8192.168.2.4
                                          Nov 18, 2020 16:00:39.535403967 CET5662153192.168.2.48.8.8.8
                                          Nov 18, 2020 16:00:39.562432051 CET53566218.8.8.8192.168.2.4
                                          Nov 18, 2020 16:00:40.350146055 CET6311653192.168.2.48.8.8.8
                                          Nov 18, 2020 16:00:40.377121925 CET53631168.8.8.8192.168.2.4
                                          Nov 18, 2020 16:00:41.208791018 CET6407853192.168.2.48.8.8.8
                                          Nov 18, 2020 16:00:41.237062931 CET53640788.8.8.8192.168.2.4
                                          Nov 18, 2020 16:00:42.726011038 CET6480153192.168.2.48.8.8.8
                                          Nov 18, 2020 16:00:42.753050089 CET53648018.8.8.8192.168.2.4
                                          Nov 18, 2020 16:00:43.777288914 CET6172153192.168.2.48.8.8.8
                                          Nov 18, 2020 16:00:43.804213047 CET53617218.8.8.8192.168.2.4
                                          Nov 18, 2020 16:00:59.555849075 CET5125553192.168.2.48.8.8.8
                                          Nov 18, 2020 16:00:59.583035946 CET53512558.8.8.8192.168.2.4
                                          Nov 18, 2020 16:01:16.963365078 CET6152253192.168.2.48.8.8.8
                                          Nov 18, 2020 16:01:16.990312099 CET53615228.8.8.8192.168.2.4
                                          Nov 18, 2020 16:01:17.522742987 CET5233753192.168.2.48.8.8.8
                                          Nov 18, 2020 16:01:17.558396101 CET53523378.8.8.8192.168.2.4
                                          Nov 18, 2020 16:01:17.987303019 CET5504653192.168.2.48.8.8.8
                                          Nov 18, 2020 16:01:18.022695065 CET53550468.8.8.8192.168.2.4
                                          Nov 18, 2020 16:01:18.325546026 CET4961253192.168.2.48.8.8.8
                                          Nov 18, 2020 16:01:18.360960007 CET53496128.8.8.8192.168.2.4
                                          Nov 18, 2020 16:01:18.643338919 CET4928553192.168.2.48.8.8.8
                                          Nov 18, 2020 16:01:18.670428991 CET53492858.8.8.8192.168.2.4
                                          Nov 18, 2020 16:01:18.853090048 CET5060153192.168.2.48.8.8.8
                                          Nov 18, 2020 16:01:18.888967037 CET53506018.8.8.8192.168.2.4
                                          Nov 18, 2020 16:01:19.287672997 CET6087553192.168.2.48.8.8.8
                                          Nov 18, 2020 16:01:19.314896107 CET53608758.8.8.8192.168.2.4
                                          Nov 18, 2020 16:01:19.729796886 CET5644853192.168.2.48.8.8.8
                                          Nov 18, 2020 16:01:19.765239000 CET53564488.8.8.8192.168.2.4
                                          Nov 18, 2020 16:01:20.354146004 CET5917253192.168.2.48.8.8.8
                                          Nov 18, 2020 16:01:20.381256104 CET53591728.8.8.8192.168.2.4
                                          Nov 18, 2020 16:01:21.001224041 CET6242053192.168.2.48.8.8.8
                                          Nov 18, 2020 16:01:21.036653996 CET53624208.8.8.8192.168.2.4
                                          Nov 18, 2020 16:01:21.382581949 CET6057953192.168.2.48.8.8.8
                                          Nov 18, 2020 16:01:21.409843922 CET53605798.8.8.8192.168.2.4
                                          Nov 18, 2020 16:01:21.519098043 CET5018353192.168.2.48.8.8.8
                                          Nov 18, 2020 16:01:21.546266079 CET53501838.8.8.8192.168.2.4
                                          Nov 18, 2020 16:01:33.886970043 CET6153153192.168.2.48.8.8.8
                                          Nov 18, 2020 16:01:33.914041042 CET53615318.8.8.8192.168.2.4
                                          Nov 18, 2020 16:01:34.217612028 CET4922853192.168.2.48.8.8.8
                                          Nov 18, 2020 16:01:34.244699955 CET53492288.8.8.8192.168.2.4
                                          Nov 18, 2020 16:01:38.323909044 CET5979453192.168.2.48.8.8.8
                                          Nov 18, 2020 16:01:38.360553026 CET53597948.8.8.8192.168.2.4
                                          Nov 18, 2020 16:02:10.261842012 CET5591653192.168.2.48.8.8.8
                                          Nov 18, 2020 16:02:10.289072037 CET53559168.8.8.8192.168.2.4
                                          Nov 18, 2020 16:02:12.596378088 CET5275253192.168.2.48.8.8.8
                                          Nov 18, 2020 16:02:12.623620033 CET53527528.8.8.8192.168.2.4

                                          HTTP Request Dependency Graph

                                          • 200.116.145.225
                                            • 200.116.145.225:443

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.449742200.116.145.225443C:\Windows\SysWOW64\setupugc\sort.exe
                                          TimestampkBytes transferredDirectionData
                                          Nov 18, 2020 16:00:56.398037910 CET157OUTPOST /0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate
                                          DNT: 1
                                          Connection: keep-alive
                                          Referer: 200.116.145.225/
                                          Upgrade-Insecure-Requests: 1
                                          Content-Type: multipart/form-data; boundary=---------hcIbcONok
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                          Host: 200.116.145.225:443
                                          Content-Length: 4628
                                          Cache-Control: no-cache
                                          Nov 18, 2020 16:00:57.383925915 CET162INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Wed, 18 Nov 2020 15:00:57 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Content-Length: 132
                                          Connection: keep-alive
                                          Data Raw: 86 2d 97 64 dc 2f f8 df 14 38 07 51 47 c3 82 1e 9f a3 ba c8 d0 2b 43 69 bb 3b 52 61 27 3f 2a 29 23 ca ab b4 0c 87 79 27 e5 f8 12 aa 34 a6 67 1b cb d6 18 b7 d9 cd 1f 7e a9 3e d8 f6 74 85 25 34 ef 26 d3 d4 a7 7d dd 72 9d 53 6e ab e6 41 e3 1b 5d 14 0c 65 04 51 c3 9d 16 cd 48 17 e8 f2 17 79 96 33 16 89 ac 54 9d a3 23 36 b4 bc b1 be 1e e3 7b 1d ff ee 1e 79 1a 06 83 d0 8d 69 25 22 4a 20 90 a6 98 c3
                                          Data Ascii: -d/8QG+Ci;Ra'?*)#y'4g~>t%4&}rSnA]eQHy3T#6{yi%"J


                                          Code Manipulations

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Start time:16:00:37
                                          Start date:18/11/2020
                                          Path:C:\Users\user\Desktop\2ojdmC51As.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\2ojdmC51As.exe'
                                          Imagebase:0x400000
                                          File size:376832 bytes
                                          MD5 hash:5804D97670DCDFAB88BA830682355DAD
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.667768852.0000000000664000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.667721626.0000000000620000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          General

                                          Start time:16:00:38
                                          Start date:18/11/2020
                                          Path:C:\Windows\SysWOW64\setupugc\sort.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\setupugc\sort.exe
                                          Imagebase:0x400000
                                          File size:376832 bytes
                                          MD5 hash:5804D97670DCDFAB88BA830682355DAD
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.931663752.0000000002244000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          General

                                          Start time:16:00:59
                                          Start date:18/11/2020
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                          Imagebase:0x7ff6eb840000
                                          File size:51288 bytes
                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:16:01:07
                                          Start date:18/11/2020
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                          Imagebase:0x7ff6eb840000
                                          File size:51288 bytes
                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:16:01:15
                                          Start date:18/11/2020
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                          Imagebase:0x7ff6eb840000
                                          File size:51288 bytes
                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Disassembly

                                          Code Analysis

                                          Reset < >