Loading ...

Play interactive tourEdit tour

Analysis Report Payment_pdf.cmd

Overview

General Information

Sample Name:Payment_pdf.cmd (renamed file extension from cmd to exe)
Analysis ID:356522
MD5:aa4f187df7370b07d17cbe08abd778a0
SHA1:e2cf0a14a87a8b87c15634f062c9b54f687c5d83
SHA256:fe378f1e009b2b77c3e08de81d767a79fee3bce433810158b3be3d470baac6b7
Tags:AgentTeslacmd

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SGDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Startup

  • System is w10x64
  • Payment_pdf.exe (PID: 6968 cmdline: 'C:\Users\user\Desktop\Payment_pdf.exe' MD5: AA4F187DF7370B07D17CBE08ABD778A0)
    • powershell.exe (PID: 4388 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\xwPVuQKYPFmJR\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6032 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6964 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • Payment_pdf.exe (PID: 6724 cmdline: C:\Users\user\Desktop\Payment_pdf.exe MD5: AA4F187DF7370B07D17CBE08ABD778A0)
    • WerFault.exe (PID: 6180 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 2032 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6372 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6792 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7120 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 2944 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6968 -ip 6968 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • explorer.exe (PID: 4936 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Resources\Themes\aero\Shell\xwPVuQKYPFmJR\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 7036 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 3504 cmdline: 'C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe' MD5: AA4F187DF7370B07D17CBE08ABD778A0)
      • powershell.exe (PID: 6768 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\xwPVuQKYPFmJR\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 4928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6476 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • explorer.exe (PID: 5736 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Resources\Themes\aero\Shell\xwPVuQKYPFmJR\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 1560 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 772 cmdline: 'C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe' MD5: AA4F187DF7370B07D17CBE08ABD778A0)
  • svchost.exe (PID: 5892 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6696 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 496 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • CZVkY.exe (PID: 5960 cmdline: 'C:\Users\user\AppData\Roaming\CZVkY\CZVkY.exe' MD5: AA4F187DF7370B07D17CBE08ABD778A0)
  • CZVkY.exe (PID: 2232 cmdline: 'C:\Users\user\AppData\Roaming\CZVkY\CZVkY.exe' MD5: AA4F187DF7370B07D17CBE08ABD778A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.594360112.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.423869749.0000000003AAE000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.453125199.00000000044AE000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Payment_pdf.exe.3aae1e0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0.2.Payment_pdf.exe.3ae4200.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            12.2.Payment_pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Payment_pdf.exe.3ae4200.7.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Payment_pdf.exe.3aae1e0.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Suspicious Svchost ProcessShow sources
                  Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe' , CommandLine: 'C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe, NewProcessName: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe, OriginalFileName: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 7036, ProcessCommandLine: 'C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe' , ProcessId: 3504
                  Sigma detected: System File Execution Location AnomalyShow sources
                  Source: Process startedAuthor: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe' , CommandLine: 'C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe, NewProcessName: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe, OriginalFileName: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 7036, ProcessCommandLine: 'C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe' , ProcessId: 3504
                  Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
                  Source: Process startedAuthor: vburov: Data: Command: 'C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe' , CommandLine: 'C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe, NewProcessName: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe, OriginalFileName: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 7036, ProcessCommandLine: 'C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe' , ProcessId: 3504

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\CZVkY\CZVkY.exeReversingLabs: Detection: 21%
                  Source: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exeReversingLabs: Detection: 21%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: Payment_pdf.exeVirustotal: Detection: 26%Perma Link
                  Source: Payment_pdf.exeReversingLabs: Detection: 21%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\CZVkY\CZVkY.exeJoe Sandbox ML: detected
                  Source: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: Payment_pdf.exeJoe Sandbox ML: detected
                  Source: 12.2.Payment_pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                  Compliance:

                  barindex
                  Uses 32bit PE filesShow sources
                  Source: Payment_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                  Source: Payment_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Binary contains paths to debug symbolsShow sources
                  Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Payment_pdf.exe, 00000000.00000002.408646291.0000000000AA0000.00000004.00000020.sdmp
                  Source: Binary string: onfiguration.ni.pdb" source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Payment_pdf.exe, 00000000.00000002.408770500.0000000000AB8000.00000004.00000020.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.432822711.0000000004C80000.00000004.00000040.sdmp
                  Source: Binary string: System.Windows.Forms.pdb}b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: shcore.pdb: source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.ni.pdb}b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: System.pdb[b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: ore.ni.pdb" source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdba source: Payment_pdf.exe, 00000000.00000002.408646291.0000000000AA0000.00000004.00000020.sdmp
                  Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: clr.pdb source: WerFault.exe, 0000000F.00000003.432822711.0000000004C80000.00000004.00000040.sdmp
                  Source: Binary string: .ni.pdb source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.ni.pdb[b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: ntmarta.pdbC source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: Payment_pdf.exe, 00000000.00000002.408770500.0000000000AB8000.00000004.00000020.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: ility.pdb source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: wuser32.pdbj source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: onp1jVisualBasic.pdb$V source: Payment_pdf.exe, 00000000.00000002.407427903.00000000006F7000.00000004.00000010.sdmp
                  Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: Payment_pdf.exe, 00000000.00000002.408487422.0000000000A73000.00000004.00000020.sdmp
                  Source: Binary string: fltLib.pdbXb source: WerFault.exe, 0000000F.00000003.432301170.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.pdbz source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: System.ni.pdbT3cl source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: WinTypes.pdb+ source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Payment_pdf.exe, 00000000.00000002.408646291.0000000000AA0000.00000004.00000020.sdmp
                  Source: Binary string: msvcp_win.pdbR source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdb}b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: nsi.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: Payment_pdf.PDB4 source: Payment_pdf.exe, 00000000.00000002.407427903.00000000006F7000.00000004.00000010.sdmp
                  Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: Accessibility.pdb}b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13 source: Payment_pdf.exe, 00000000.00000002.408770500.0000000000AB8000.00000004.00000020.sdmp
                  Source: Binary string: shell32.pdbH source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.pdbF source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: wimm32.pdbl source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.432423021.0000000004C84000.00000004.00000040.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdbT source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: Accessibility.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: version.pdb0 source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: indows.Forms.pdb? source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: cldapi.pdb! source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: Accessibility.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: ml.ni.pdb" source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: rawing.pdb source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: cryptsp.pdbx source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.432822711.0000000004C80000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.Configuration.pdb[b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: (P&jLC:\Windows\Microsoft.VisualBasic.pdb source: Payment_pdf.exe, 00000000.00000002.407427903.00000000006F7000.00000004.00000010.sdmp
                  Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: clrjit.pdb^ source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: oleaut32.pdb< source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.Configuration.ni.pdb[b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: edputil.pdb9 source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb$fc source: Payment_pdf.exe, 00000000.00000002.408770500.0000000000AB8000.00000004.00000020.sdmp
                  Source: Binary string: System.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb> source: Payment_pdf.exe, 00000000.00000002.408678718.0000000000AAE000.00000004.00000020.sdmp
                  Source: Binary string: System.Core.pdb[b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.432822711.0000000004C80000.00000004.00000040.sdmp
                  Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: rasman.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Payment_pdf.exe, 00000000.00000002.408770500.0000000000AB8000.00000004.00000020.sdmp
                  Source: Binary string: o.pdb)X source: Payment_pdf.exe, 00000000.00000002.407427903.00000000006F7000.00000004.00000010.sdmp
                  Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: version.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: msasn1.pdb[ source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.ni.pdb[b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: System.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: Payment_pdf.exe, 00000000.00000002.408770500.0000000000AB8000.00000004.00000020.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: nsi.pdbxj source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.432822711.0000000004C80000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdbF source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: C:\Users\user\Desktop\Payment_pdf.PDB source: Payment_pdf.exe, 00000000.00000002.407427903.00000000006F7000.00000004.00000010.sdmp
                  Source: Binary string: psapi.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Payment_pdf.exe, 00000000.00000002.408285568.0000000000A2D000.00000004.00000020.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: bcrypt.pdbv source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: combase.pdbk source: WerFault.exe, 0000000F.00000003.432423021.0000000004C84000.00000004.00000040.sdmp
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000F.00000003.432580092.0000000004AC6000.00000004.00000001.sdmp
                  Source: Binary string: powrprof.pdb` source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: edputil.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: global trafficHTTP traffic detected: GET /base/A632564F6B586F5A6F356DB5CA3B2690.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /base/81C3FE323C5502E2AE417434B3B29FF7.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/4E6D09D3FE7F5C729D5893BBC810E319.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/A632564F6B586F5A6F356DB5CA3B2690.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /base/81C3FE323C5502E2AE417434B3B29FF7.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/A632564F6B586F5A6F356DB5CA3B2690.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /base/4E6D09D3FE7F5C729D5893BBC810E319.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/81C3FE323C5502E2AE417434B3B29FF7.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/4E6D09D3FE7F5C729D5893BBC810E319.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/A632564F6B586F5A6F356DB5CA3B2690.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /base/81C3FE323C5502E2AE417434B3B29FF7.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/A632564F6B586F5A6F356DB5CA3B2690.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /base/81C3FE323C5502E2AE417434B3B29FF7.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/4E6D09D3FE7F5C729D5893BBC810E319.html HTTP/1.1Host: coroloboxorozor.com
                  Source: Joe Sandbox ViewIP Address: 172.67.172.17 172.67.172.17
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: global trafficHTTP traffic detected: GET /base/A632564F6B586F5A6F356DB5CA3B2690.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /base/81C3FE323C5502E2AE417434B3B29FF7.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/4E6D09D3FE7F5C729D5893BBC810E319.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/A632564F6B586F5A6F356DB5CA3B2690.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /base/81C3FE323C5502E2AE417434B3B29FF7.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/A632564F6B586F5A6F356DB5CA3B2690.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /base/4E6D09D3FE7F5C729D5893BBC810E319.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/81C3FE323C5502E2AE417434B3B29FF7.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/4E6D09D3FE7F5C729D5893BBC810E319.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/A632564F6B586F5A6F356DB5CA3B2690.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /base/81C3FE323C5502E2AE417434B3B29FF7.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/A632564F6B586F5A6F356DB5CA3B2690.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /base/81C3FE323C5502E2AE417434B3B29FF7.html HTTP/1.1Host: coroloboxorozor.com
                  Source: global trafficHTTP traffic detected: GET /base/4E6D09D3FE7F5C729D5893BBC810E319.html HTTP/1.1Host: coroloboxorozor.com
                  Source: svchost.exe, 0000001B.00000002.511486815.0000025027D13000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE4 equals www.facebook.com (Facebook)
                  Source: svchost.exe, 0000001B.00000002.511486815.0000025027D13000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE4 equals www.twitter.com (Twitter)
                  Source: svchost.exe, 0000001B.00000003.481513610.0000025027D63000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                  Source: svchost.exe, 0000001B.00000003.481513610.0000025027D63000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                  Source: svchost.exe, 0000001B.00000003.481513610.0000025027D63000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                  Source: svchost.exe, 0000001B.00000003.481630694.0000025027D85000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                  Source: svchost.exe, 0000001B.00000003.481630694.0000025027D85000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                  Source: svchost.exe, 0000001B.00000003.481630694.0000025027D85000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                  Source: svchost.exe, 0000001B.00000003.481676427.0000025027DC2000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                  Source: svchost.exe, 0000001B.00000003.481676427.0000025027DC2000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                  Source: svchost.exe, 0000001B.00000003.481676427.0000025027DC2000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                  Source: unknownDNS traffic detected: queries for: coroloboxorozor.com
                  Source: Payment_pdf.exe, 00000000.00000003.384124156.00000000055E1000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: svchost.exe, 0000001B.00000002.510562184.00000250274EE000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                  Source: Payment_pdf.exe, 00000000.00000003.384124156.00000000055E1000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: Payment_pdf.exe, 00000000.00000002.409692034.0000000002751000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com
                  Source: Payment_pdf.exe, 00000000.00000002.409692034.0000000002751000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/4E6D09D3FE7F5C729D5893BBC810E319.html
                  Source: Payment_pdf.exe, 00000000.00000002.409692034.0000000002751000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/A632564F6B586F5A6F356DB5CA3B2690.html
                  Source: WerFault.exe, 0000000F.00000002.492935514.00000000011B7000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft.co
                  Source: Payment_pdf.exe, 00000000.00000003.384124156.00000000055E1000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: svchost.exe, 0000001B.00000002.510562184.00000250274EE000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                  Source: Payment_pdf.exe, 00000000.00000003.384124156.00000000055E1000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: Payment_pdf.exe, 00000000.00000003.384124156.00000000055E1000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: svchost.exe, 0000001B.00000002.510562184.00000250274EE000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: Payment_pdf.exe, 00000000.00000003.384124156.00000000055E1000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: svchost.exe, 0000001B.00000002.510562184.00000250274EE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: Payment_pdf.exe, 00000000.00000003.384124156.00000000055E1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: Payment_pdf.exe, 00000000.00000003.384124156.00000000055E1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                  Source: WerFault.exe, 0000000F.00000003.424086724.0000000004DD0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                  Source: WerFault.exe, 0000000F.00000003.424086724.0000000004DD0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                  Source: WerFault.exe, 0000000F.00000003.424086724.0000000004DD0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                  Source: WerFault.exe, 0000000F.00000003.424086724.0000000004DD0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                  Source: WerFault.exe, 0000000F.00000003.424086724.0000000004DD0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                  Source: WerFault.exe, 0000000F.00000003.424086724.0000000004DD0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                  Source: WerFault.exe, 0000000F.00000003.424086724.0000000004DD0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                  Source: Payment_pdf.exe, 00000000.00000002.409692034.0000000002751000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.424086724.0000000004DD0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: WerFault.exe, 0000000F.00000003.424086724.0000000004DD0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                  Source: WerFault.exe, 0000000F.00000003.424086724.0000000004DD0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                  Source: WerFault.exe, 0000000F.00000003.424086724.0000000004DD0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                  Source: WerFault.exe, 0000000F.00000003.424086724.0000000004DD0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                  Source: WerFault.exe, 0000000F.00000003.424086724.0000000004DD0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                  Source: WerFault.exe, 0000000F.00000003.424086724.0000000004DD0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                  Source: WerFault.exe, 0000000F.00000003.424086724.0000000004DD0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                  Source: Payment_pdf.exe, 00000000.00000003.384124156.00000000055E1000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                  Source: svchost.exe, 0000001B.00000003.481513610.0000025027D63000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.481630694.0000025027D85000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.481676427.0000025027DC2000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                  Source: svchost.exe, 0000001B.00000003.481513610.0000025027D63000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.481630694.0000025027D85000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.481676427.0000025027DC2000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                  Source: svchost.exe, 0000001B.00000003.477375638.0000025027D61000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/privacy
                  Source: svchost.exe, 0000001B.00000003.477375638.0000025027D61000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/terms
                  Source: powershell.exe, 00000005.00000003.540007478.0000000008F65000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co1
                  Source: svchost.exe, 0000001B.00000003.493226506.0000025027D6F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.493323322.0000025027DB2000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
                  Source: svchost.exe, 0000001B.00000003.493226506.0000025027D6F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.493323322.0000025027DB2000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.493506486.0000025027D91000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
                  Source: svchost.exe, 0000001B.00000003.492107395.0000025027D5F000.00000004.00000001.sdmpString found in binary or memory: https://displaycatalog.m
                  Source: svchost.exe, 0000001B.00000003.493226506.0000025027D6F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.493323322.0000025027DB2000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
                  Source: powershell.exe, 00000005.00000003.500097206.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                  Source: svchost.exe, 0000001B.00000003.481513610.0000025027D63000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.481630694.0000025027D85000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.481676427.0000025027DC2000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
                  Source: Payment_pdf.exe, 00000000.00000003.384124156.00000000055E1000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                  Source: svchost.exe, 0000001B.00000003.477375638.0000025027D61000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/ca-privacy-rights
                  Source: svchost.exe, 0000001B.00000003.477375638.0000025027D61000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/do-not-sell-my-info
                  Source: svchost.exe, 0000001B.00000003.493226506.0000025027D6F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.493323322.0000025027DB2000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
                  Source: svchost.exe, 0000001B.00000003.493226506.0000025027D6F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.493323322.0000025027DB2000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
                  Source: Payment_pdf.exe, 00000000.00000002.423869749.0000000003AAE000.00000004.00000001.sdmp, Payment_pdf.exe, 0000000C.00000002.594360112.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

                  System Summary:

                  barindex
                  Initial sample is a PE file and has a suspicious nameShow sources
                  Source: initial sampleStatic PE information: Filename: Payment_pdf.exe
                  Source: initial sampleStatic PE information: Filename: Payment_pdf.exe
                  Source: C:\Users\user\Desktop\Payment_pdf.exeFile created: C:\Windows\Resources\Themes\aero\Shell\xwPVuQKYPFmJRJump to behavior
                  Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6968 -ip 6968
                  Source: Payment_pdf.exeStatic PE information: invalid certificate
                  Source: Payment_pdf.exeBinary or memory string: OriginalFilename vs Payment_pdf.exe
                  Source: Payment_pdf.exe, 00000000.00000002.422429311.0000000003981000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs Payment_pdf.exe
                  Source: Payment_pdf.exe, 00000000.00000000.325225367.0000000000232000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameToNTDGRS.exe2 vs Payment_pdf.exe
                  Source: Payment_pdf.exe, 00000000.00000002.423869749.0000000003AAE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDqwB Pon.exe2 vs Payment_pdf.exe
                  Source: Payment_pdf.exe, 00000000.00000002.407427903.00000000006F7000.00000004.00000010.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Payment_pdf.exe
                  Source: Payment_pdf.exeBinary or memory string: OriginalFilename vs Payment_pdf.exe
                  Source: Payment_pdf.exe, 0000000C.00000000.399361049.00000000009A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameToNTDGRS.exe2 vs Payment_pdf.exe
                  Source: Payment_pdf.exe, 0000000C.00000002.594360112.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameDqwB Pon.exe2 vs Payment_pdf.exe
                  Source: Payment_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: Payment_pdf.exe, 00000000.00000002.408770500.0000000000AB8000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@39/19@5/3
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210223Jump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:724:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4928:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4860:120:WilError_01
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6968
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oebs23ox.3ze.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\explorer.exe
                  Source: unknownProcess created: C:\Windows\explorer.exe
                  Source: unknownProcess created: C:\Windows\explorer.exe
                  Source: unknownProcess created: C:\Windows\explorer.exe
                  Source: Payment_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Payment_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\CZVkY\CZVkY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\CZVkY\CZVkY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\Payment_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Payment_pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\Payment_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\Payment_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Payment_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\CZVkY\CZVkY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\CZVkY\CZVkY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: Payment_pdf.exeVirustotal: Detection: 26%
                  Source: Payment_pdf.exeReversingLabs: Detection: 21%
                  Source: C:\Users\user\Desktop\Payment_pdf.exeFile read: C:\Users\user\Desktop\Payment_pdf.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Payment_pdf.exe 'C:\Users\user\Desktop\Payment_pdf.exe'
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\xwPVuQKYPFmJR\svchost.exe' -Force
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Users\user\Desktop\Payment_pdf.exe C:\Users\user\Desktop\Payment_pdf.exe
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                  Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6968 -ip 6968
                  Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 2032
                  Source: unknownProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Resources\Themes\aero\Shell\xwPVuQKYPFmJR\svchost.exe'
                  Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                  Source: unknownProcess created: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe 'C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe'
                  Source: unknownProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Resources\Themes\aero\Shell\xwPVuQKYPFmJR\svchost.exe'
                  Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe 'C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe'
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\CZVkY\CZVkY.exe 'C:\Users\user\AppData\Roaming\CZVkY\CZVkY.exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\CZVkY\CZVkY.exe 'C:\Users\user\AppData\Roaming\CZVkY\CZVkY.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\xwPVuQKYPFmJR\svchost.exe' -Force
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                  Source: C:\Users\user\Desktop\Payment_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\xwPVuQKYPFmJR\svchost.exe' -ForceJump to behavior
                  Source: C:\Users\user\Desktop\Payment_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
                  Source: C:\Users\user\Desktop\Payment_pdf.exeProcess created: C:\Users\user\Desktop\Payment_pdf.exe C:\Users\user\Desktop\Payment_pdf.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6968 -ip 6968Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 2032Jump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe 'C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe'
                  Source: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\xwPVuQKYPFmJR\svchost.exe' -Force
                  Source: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                  Source: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\explorer.exeProcess created: C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe 'C:\Windows\Resources\Themes\aero\shell\xwPVuQKYPFmJR\svchost.exe'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                  Source: C:\Users\user\Desktop\Payment_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\Payment_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: Payment_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Payment_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Payment_pdf.exe, 00000000.00000002.408646291.0000000000AA0000.00000004.00000020.sdmp
                  Source: Binary string: onfiguration.ni.pdb" source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Payment_pdf.exe, 00000000.00000002.408770500.0000000000AB8000.00000004.00000020.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.432822711.0000000004C80000.00000004.00000040.sdmp
                  Source: Binary string: System.Windows.Forms.pdb}b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: shcore.pdb: source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.ni.pdb}b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: System.pdb[b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: ore.ni.pdb" source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdba source: Payment_pdf.exe, 00000000.00000002.408646291.0000000000AA0000.00000004.00000020.sdmp
                  Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: clr.pdb source: WerFault.exe, 0000000F.00000003.432822711.0000000004C80000.00000004.00000040.sdmp
                  Source: Binary string: .ni.pdb source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.ni.pdb[b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: ntmarta.pdbC source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: Payment_pdf.exe, 00000000.00000002.408770500.0000000000AB8000.00000004.00000020.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: ility.pdb source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: wuser32.pdbj source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: onp1jVisualBasic.pdb$V source: Payment_pdf.exe, 00000000.00000002.407427903.00000000006F7000.00000004.00000010.sdmp
                  Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: Payment_pdf.exe, 00000000.00000002.408487422.0000000000A73000.00000004.00000020.sdmp
                  Source: Binary string: fltLib.pdbXb source: WerFault.exe, 0000000F.00000003.432301170.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.pdbz source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: System.ni.pdbT3cl source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: WinTypes.pdb+ source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Payment_pdf.exe, 00000000.00000002.408646291.0000000000AA0000.00000004.00000020.sdmp
                  Source: Binary string: msvcp_win.pdbR source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdb}b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: nsi.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: Payment_pdf.PDB4 source: Payment_pdf.exe, 00000000.00000002.407427903.00000000006F7000.00000004.00000010.sdmp
                  Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: Accessibility.pdb}b source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13 source: Payment_pdf.exe, 00000000.00000002.408770500.0000000000AB8000.00000004.00000020.sdmp
                  Source: Binary string: shell32.pdbH source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.pdbF source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: wimm32.pdbl source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.432423021.0000000004C84000.00000004.00000040.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdbT source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: Accessibility.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: version.pdb0 source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.432364134.0000000004AB1000.00000004.00000001.sdmp
                  Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: indows.Forms.pdb? source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: cldapi.pdb! source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000F.00000003.432179351.0000000004C8B000.00000004.00000040.sdmp
                  Source: Binary string: Accessibility.pdb source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: ml.ni.pdb" source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: rawing.pdb source: WerFault.exe, 0000000F.00000003.432349999.0000000004C98000.00000004.00000001.sdmp
                  Source: Binary string: cryptsp.pdbx source: WerFault.exe, 0000000F.00000003.432682433.0000000004C87000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000F.00000002.497067048.0000000004D90000.00000004.00000001.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.432682433.00