Loading ...

Play interactive tourEdit tour

Analysis Report 2ojdmC51As.exe

Overview

General Information

Sample Name:2ojdmC51As.exe
Analysis ID:367934
MD5:5804d97670dcdfab88ba830682355dad
SHA1:65c817fb511824fa185f34ecd744b836ed7a19eb
SHA256:4e885ada930e285a005c5211b8a652dc0eb11a06ccf530561afa88aefe99c9fc
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 2ojdmC51As.exe (PID: 5356 cmdline: 'C:\Users\user\Desktop\2ojdmC51As.exe' MD5: 5804D97670DCDFAB88BA830682355DAD)
    • iasrecst.exe (PID: 2964 cmdline: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe MD5: 5804D97670DCDFAB88BA830682355DAD)
  • svchost.exe (PID: 396 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5292 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6048 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5116 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5456 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5548 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4660 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6492 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7096 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6208 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6596 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.494960467.0000000000710000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000000.00000002.231317711.0000000002194000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000001.00000002.496587282.0000000002284000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.2ojdmC51As.exe.21e0000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              1.2.iasrecst.exe.71052e.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                1.2.iasrecst.exe.71279e.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  0.2.2ojdmC51As.exe.60279e.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    1.2.iasrecst.exe.71052e.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.2ojdmC51As.exe.21e0000.3.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 2ojdmC51As.exeVirustotal: Detection: 76%Perma Link
                      Source: 2ojdmC51As.exeMetadefender: Detection: 67%Perma Link
                      Source: 2ojdmC51As.exeReversingLabs: Detection: 88%
                      Machine Learning detection for sampleShow sources
                      Source: 2ojdmC51As.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exeCode function: 1_2_022C2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,1_2_022C2290
                      Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exeCode function: 1_2_022C2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,1_2_022C2650
                      Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exeCode function: 1_2_022C1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptDuplicateHash,1_2_022C1FB0
                      Source: 2ojdmC51As.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004182CC FindFirstFileA,FindClose,0_2_004182CC
                      Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_00417B29
                      Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_021E38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,0_2_021E38F0
                      Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exeCode function: 1_2_004182CC FindFirstFileA,FindClose,1_2_004182CC
                      Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exeCode function: 1_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,1_2_00417B29
                      Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exeCode function: 1_2_022C38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,1_2_022C38F0

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 200.116.145.225:443
                      Source: Malware configuration extractorIPs: 96.126.101.6:8080
                      Source: Malware configuration extractorIPs: 5.196.108.185:8080
                      Source: Malware configuration extractorIPs: 167.114.153.111:8080
                      Source: Malware configuration extractorIPs: 194.187.133.160:443
                      Source: Malware configuration extractorIPs: 98.174.164.72:80
                      Source: Malware configuration extractorIPs: 103.86.49.11:8080
                      Source: Malware configuration extractorIPs: 78.24.219.147:8080
                      Source: Malware configuration extractorIPs: 50.245.107.73:443
                      Source: Malware configuration extractorIPs: 110.145.77.103:80
                      Source: Malware configuration extractorIPs: 94.200.114.161:80
                      Source: Malware configuration extractorIPs: 61.19.246.238:443
                      Source: Malware configuration extractorIPs: 194.4.58.192:7080
                      Source: Malware configuration extractorIPs: 209.54.13.14:80
                      Source: Malware configuration extractorIPs: 102.182.93.220:80
                      Source: Malware configuration extractorIPs: 186.70.56.94:443
                      Source: Malware configuration extractorIPs: 203.153.216.189:7080
                      Source: Malware configuration extractorIPs: 49.50.209.131:80
                      Source: Malware configuration extractorIPs: 176.113.52.6:443
                      Source: Malware configuration extractorIPs: 62.30.7.67:443
                      Source: Malware configuration extractorIPs: 61.76.222.210:80
                      Source: Malware configuration extractorIPs: 113.61.66.94:80
                      Source: Malware configuration extractorIPs: 157.245.99.39:8080
                      Source: Malware configuration extractorIPs: 216.139.123.119:80
                      Source: Malware configuration extractorIPs: 184.180.181.202:80
                      Source: Malware configuration extractorIPs: 123.142.37.166:80
                      Source: Malware configuration extractorIPs: 124.41.215.226:80
                      Source: Malware configuration extractorIPs: 119.59.116.21:8080
                      Source: Malware configuration extractorIPs: 41.185.28.84:8080
                      Source: Malware configuration extractorIPs: 5.39.91.110:7080
                      Source: Malware configuration extractorIPs: 220.245.198.194:80
                      Source: Malware configuration extractorIPs: 139.162.108.71:8080
                      Source: Malware configuration extractorIPs: 75.143.247.51:80
                      Source: Malware configuration extractorIPs: 74.214.230.200:80
                      Source: Malware configuration extractorIPs: 185.94.252.104:443
                      Source: Malware configuration extractorIPs: 208.180.207.205:80
                      Source: Malware configuration extractorIPs: 49.3.224.99:8080
                      Source: Malware configuration extractorIPs: 93.147.212.206:80
                      Source: Malware configuration extractorIPs: 182.208.30.18:443
                      Source: Malware configuration extractorIPs: 95.213.236.64:8080
                      Source: Malware configuration extractorIPs: 37.187.72.193:8080
                      Source: Malware configuration extractorIPs: 59.125.219.109:443
                      Source: Malware configuration extractorIPs: 37.179.204.33:80
                      Source: Malware configuration extractorIPs: 95.9.5.93:80
                      Source: Malware configuration extractorIPs: 168.235.67.138:7080
                      Source: Malware configuration extractorIPs: 118.83.154.64:443
                      Source: Malware configuration extractorIPs: 121.7.31.214:80
                      Source: Malware configuration extractorIPs: 74.208.45.104:8080
                      Source: Malware configuration extractorIPs: 87.106.136.232:8080
                      Source: Malware configuration extractorIPs: 138.68.87.218:443
                      Source: Malware configuration extractorIPs: 62.75.141.82:80
                      Source: Malware configuration extractorIPs: 66.76.12.94:8080
                      Source: Malware configuration extractorIPs: 202.134.4.216:8080
                      Source: Malware configuration extractorIPs: 47.36.140.164:80
                      Source: Malware configuration extractorIPs: 110.142.236.207:80
                      Source: Malware configuration extractorIPs: 134.209.144.106:443
                      Source: Malware configuration extractorIPs: 89.216.122.92:80
                      Source: Malware configuration extractorIPs: 75.188.96.231:80
                      Source: Malware configuration extractorIPs: 24.179.13.119:80
                      Source: Malware configuration extractorIPs: 218.147.193.146:80
                      Source: Malware configuration extractorIPs: 174.106.122.139:80
                      Source: Malware configuration extractorIPs: 71.15.245.148:8080
                      Source: Malware configuration extractorIPs: 104.131.11.150:443
                      Source: Malware configuration extractorIPs: 202.141.243.254:443
                      Source: Malware configuration extractorIPs: 94.230.70.6:80
                      Source: Malware configuration extractorIPs: 24.178.90.49:80
                      Source: Malware configuration extractorIPs: 97.82.79.83:80
                      Source: Malware configuration extractorIPs: 68.252.26.78:80
                      Source: Malware configuration extractorIPs: 173.63.222.65:80
                      Source: Malware configuration extractorIPs: 162.241.242.173:8080
                      Source: Malware configuration extractorIPs: 79.137.83.50:443
                      Source: Malware configuration extractorIPs: 80.241.255.202:8080
                      Source: Malware configuration extractorIPs: 120.150.60.189:80
                      Source: Malware configuration extractorIPs: 96.245.227.43:80
                      Source: Malware configuration extractorIPs: 50.91.114.38:80
                      Source: Malware configuration extractorIPs: 83.110.223.58:443
                      Source: Malware configuration extractorIPs: 24.230.141.169:80
                      Source: Malware configuration extractorIPs: 37.139.21.175:8080
                      Source: Malware configuration extractorIPs: 202.134.4.211:8080
                      Source: Malware configuration extractorIPs: 190.240.194.77:443
                      Source: Malware configuration extractorIPs: 176.111.60.55:8080
                      Source: Malware configuration extractorIPs: 123.176.25.234:80
                      Source: Malware configuration extractorIPs: 209.141.54.221:7080
                      Source: Malware configuration extractorIPs: 115.94.207.99:443
                      Source: Malware configuration extractorIPs: 50.35.17.13:80
                      Source: Malware configuration extractorIPs: 109.74.5.95:8080
                      Source: Malware configuration extractorIPs: 120.150.218.241:443
                      Source: Malware configuration extractorIPs: 121.124.124.40:7080
                      Source: Malware configuration extractorIPs: 217.20.166.178:7080
                      Source: Malware configuration extractorIPs: 108.46.29.236:80
                      Source: Malware configuration extractorIPs: 2.58.16.89:8080
                      Source: Malware configuration extractorIPs: 85.105.111.166:80
                      Source: Malware configuration extractorIPs: 137.59.187.107:8080
                      Source: Malware configuration extractorIPs: 139.162.60.124:8080
                      Source: Malware configuration extractorIPs: 76.175.162.101:80
                      Source: Malware configuration extractorIPs: 139.99.158.11:443
                      Source: Malware configuration extractorIPs: 104.131.123.136:443
                      Source: Malware configuration extractorIPs: 91.211.88.52:7080
                      Source: Malware configuration extractorIPs: 91.146.156.228:80
                      Source: Malware configuration extractorIPs: 172.104.97.173:8080
                      Source: Malware configuration extractorIPs: 89.121.205.18:80
                      Source: Malware configuration extractorIPs: 186.74.215.34:80
                      Source: Malware configuration extractorIPs: 61.33.119.226:443
                      Source: Malware configuration extractorIPs: 162.241.140.129:8080
                      Source: Malware configuration extractorIPs: 130.0.132.242:80
                      Source: Malware configuration extractorIPs: 190.108.228.27:443
                      Source: Malware configuration extractorIPs: 201.241.127.190:80
                      Source: Malware configuration extractorIPs: 87.106.139.101:8080
                      Source: Malware configuration extractorIPs: 78.188.106.53:443
                      Source: Malware configuration extractorIPs: 188.219.31.12:80
                      Source: Malware configuration extractorIPs: 76.171.227.238:80
                      Source: Malware configuration extractorIPs: 72.143.73.234:443
                      Source: Malware configuration extractorIPs: 62.171.142.179:8080
                      Source: Malware configuration extractorIPs: 139.59.60.244:8080
                      Source: Malware configuration extractorIPs: 24.137.76.62:80
                      Source: Malware configuration extractorIPs: 172.86.188.251:8080
                      Source: Malware configuration extractorIPs: 172.91.208.86:80
                      Source: Malware configuration extractorIPs: 94.23.237.171:443
                      Source: unknownNetwork traffic detected: IP country count 34
                      Source: global trafficTCP traffic: 192.168.2.5:49723 -> 96.126.101.6:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49724 -> 5.196.108.185:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49728 -> 167.114.153.111:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49747 -> 103.86.49.11:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49748 -> 78.24.219.147:8080
                      Source: Joe Sandbox ViewASN Name: HOSTER-KZ HOSTER-KZ
                      Source: Joe Sandbox ViewASN Name: AfrihostZA AfrihostZA
                      Source: global trafficHTTP traffic detected: POST /wGf14n07/vS3mZ/aWoW/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 5.196.108.185/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------jFClBgacZrwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 5.196.108.185:8080Content-Length: 4596Cache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 200.116.145.225
                      Source: unknownTCP traffic detected without corresponding DNS query: 200.116.145.225
                      Source: unknownTCP traffic detected without corresponding DNS query: 200.116.145.225
                      Source: unknownTCP traffic detected without corresponding DNS query: 96.126.101.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 96.126.101.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 96.126.101.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.196.108.185
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.196.108.185
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.196.108.185
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.196.108.185
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.196.108.185
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.187.133.160
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.187.133.160
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.187.133.160
                      Source: unknownTCP traffic detected without corresponding DNS query: 98.174.164.72
                      Source: unknownTCP traffic detected without corresponding DNS query: 98.174.164.72
                      Source: unknownTCP traffic detected without corresponding DNS query: 98.174.164.72
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.196.108.185
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.86.49.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.86.49.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.86.49.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 78.24.219.147
                      Source: unknownTCP traffic detected without corresponding DNS query: 78.24.219.147
                      Source: unknownTCP traffic detected without corresponding DNS query: 78.24.219.147
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.196.108.185
                      Source: svchost.exe, 00000016.00000003.400623292.000001DCAE722000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000016.00000003.400623292.000001DCAE722000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000016.00000003.400383367.000001DCAE767000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-05T08:18:42.8639720Z||.||dd237c2b-2874-48fe-90b2-f0059c8f0c6d||1152921505693245717||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000016.00000003.400383367.000001DCAE767000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-05T08:18:42.8639720Z||.||dd237c2b-2874-48fe-90b2-f0059c8f0c6d||1152921505693245717||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000016.00000003.400623292.000001DCAE722000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000016.00000003.400623292.000001DCAE722000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000016.00000003.393782565.000001DCAE782000.00000004.00000001.sdmpString found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-02T18:22:42.6875348Z||.||d304cd4c-475a-4125-aa87-5c57cb1f4562||1152921505693241551||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-02T18:21:36.4242164Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
                      Source: svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                      Source: svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                      Source: svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                      Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                      Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                      Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                      Source: svchost.exe, 00000016.00000003.393796977.000001DCAE763000.00000004.00000001.sdmpString found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-02T18:22:42.6875348Z||.||d304cd4c-475a-4125-aa87-5c57cb1f4562||1152921505693241551||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-02T18:21:36.4242164Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
                      Source: svchost.exe, 00000016.00000003.394281664.000001DCAE725000.00000004.00000001.sdmpString found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":137909932,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_910.5.119.0_x64__8xx8rvfyw5nnt","PackageId":"7a013703-edb8-6940-193c-127d899a1d9b-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_910.5.119.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.backu
                      Source: unknownHTTP traffic detected: POST /wGf14n07/vS3mZ/aWoW/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 5.196.108.185/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------jFClBgacZrwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 5.196.108.185:8080Content-Length: 4596Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 12 Mar 2021 15:27:27 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmpString found in binary or memory: http://167.114.153.111:8080/RWKwnR00xL9KFn/8u41u6KEQrM/jtlSmN2GQ/
                      Source: iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmpString found in binary or memory: http://167.114.153.111:8080/RWKwnR00xL9KFn/8u41u6KEQrM/jtlSmN2GQ/l
                      Source: iasrecst.exe, 00000001.00000003.405645710.0000000002981000.00000004.00000001.sdmp, iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmpString found in binary or memory: http://194.187.133.160:443/3El8N8aRynButJ/
                      Source: iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmpString found in binary or memory: http://5.196.108.185:8080/wGf14n07/vS3mZ/aWoW/q
                      Source: iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmpString found in binary or memory: http://78.24.219.147:8080/sYVMb8sSsBN1RjvCK/iGzstLqezClQ/N1nFCPZm6mEYgboT/pmtRsMHWSucuO/QEkDfx4jkf1H
                      Source: iasrecst.exe, 00000001.00000003.327469162.0000000002981000.00000004.00000001.sdmpString found in binary or memory: http://96.126.101.6:8080/j8688GhgZ4mpI2/
                      Source: iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmpString found in binary or memory: http://98.174.164.72/2CRvCvWLe/Uxu7RQJUiJql1/
                      Source: iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmpString found in binary or memory: http://98.174.164.72/2CRvCvWLe/Uxu7RQJUiJql1/%
                      Source: svchost.exe, 00000016.00000002.411881082.000001DCADE70000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: svchost.exe, 00000006.00000002.498370452.000002074589B000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
                      Source: svchost.exe, 00000016.00000002.411881082.000001DCADE70000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: svchost.exe, 00000006.00000002.494908534.00000207402BA000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: svchost.exe, 00000016.00000002.411881082.000001DCADE70000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: svchost.exe, 00000016.00000002.411881082.000001DCADE70000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: svchost.exe, 00000006.00000002.494908534.00000207402BA000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: svchost.exe, 00000006.00000002.498171073.0000020745800000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: svchost.exe, 00000006.00000002.498650900.0000020745B10000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: svchost.exe, 00000009.00000002.305642289.0000015674A13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                      Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                      Source: svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/privacy
                      Source: svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/terms
                      Source: svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
                      Source: svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
                      Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000009.00000003.305136565.0000015674A48000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 00000009.00000002.305686531.0000015674A42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 00000009.00000002.305686531.0000015674A42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.305206943.0000015674A40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000009.00000003.305136565.0000015674A48000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000009.00000003.283475151.0000015674A31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
                      Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
                      Source: svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 00000009.00000002.305642289.0000015674A13000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000009.00000003.283475151.0000015674A31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000009.00000003.305199569.0000015674A45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000009.00000003.283475151.0000015674A31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000009.00000002.305673394.0000015674A3A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 00000009.00000003.305136565.0000015674A48000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/ca-privacy-rights
                      Source: svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/do-not-sell-my-info
                      Source: svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
                      Source: svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                      Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00422473 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,0_2_00422473
                      Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00422488 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,0_2_00422488
                      Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_0041580E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_0041580E
                      Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_004238DC GetKeyState,GetKeyState,GetKeyState,0_2_004238DC
                      Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_0041E95F ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,0_2_0041E95F
                      Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00412ABD GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_00412ABD
                      Source: C:\Users\user\Desktop\2ojdmC51As.exeCode function: 0_2_00410E05 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,0_2_00410E05
                      Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exeCode function: 1_2_00422473 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,1_2_00422473
                      Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exeCode function: 1_2_00422488 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,1_2_00422488
                      Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exeCode function: 1_2_0041580E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_0041580E
                      Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exeCode function: 1_2_004238DC GetKeyState,GetKeyState,GetKeyState,1_2_004238DC
                      Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exeCode function: 1_2_0041E95F ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,1_2_0041E95F
                      Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exeCode function: 1_2_00412ABD GetKeyState,GetKeyState,GetKeyState,GetKeyState,1_2_00412ABD
                      Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exeCode function: 1_2_00410E05 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,1_2_00410E05

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.494960467.0000000000710000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.231317711.0000000002194000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.496587282.0000000002284000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.230964663.0000000000600000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.2ojdmC51As.exe.21e0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.iasrecst.exe.71052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.iasrecst.exe.71279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.2ojdmC51As.exe.60279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.iasrecst.exe.71052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.2ojdmC51As.exe.60052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.iasrecst.exe.71279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.iasrecst.exe.22c0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.2ojdmC51As.exe.60279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.2ojdmC51As.exe.60052e.2.unpack, type: UNPACKEDPE
                      Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exeCode function: 1_2_022C2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,1_2_022C2650