Loading ...

Play interactive tourEdit tour

Analysis Report https://docs.google.com/document/d/e/2PACX-1vTHxokJzX9OUXMh8lBwarsdX5O0hlgmi00z0_BhIg75kdRT_7hBaBMUdCJwRCHVrMqu5cqiq0UYRBNx/pub

Overview

General Information

Sample URL:https://docs.google.com/document/d/e/2PACX-1vTHxokJzX9OUXMh8lBwarsdX5O0hlgmi00z0_BhIg75kdRT_7hBaBMUdCJwRCHVrMqu5cqiq0UYRBNx/pub
Analysis ID:289272

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:21
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Yara detected password protected xls with embedded macros
Found iframes
Potential browser exploit detected (process start blacklist hit)
Unusual large HTML page

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 6604 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6648 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6604 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • EXCEL.EXE (PID: 5640 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde MD5: 5D6638F2C8F8571C593999C58866007E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\details_2309.xls.b2hlymi.partialJoeSecurity_PasswordProtectedXlsWithEmbeddedMacrosYara detected password protected xls with embedded macrosJoe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\details_2309[1].xlsJoeSecurity_PasswordProtectedXlsWithEmbeddedMacrosYara detected password protected xls with embedded macrosJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results
      Source: https://accounts.google.com/signin/v2/identifier?service=wise&passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&followup=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: Iframe src: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=2125809293&timestamp=1600917186151
      Source: https://accounts.google.com/signin/v2/identifier?service=wise&passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&followup=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: Iframe src: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=2125809293&timestamp=1600917186151
      Source: https://accounts.google.com/signin/v2/identifier?passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2F&followup=https%3A%2F%2Fdocs.google.com%2F&emr=1&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: Iframe src: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=995506&timestamp=1600917182223
      Source: https://accounts.google.com/signin/v2/identifier?passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2F&followup=https%3A%2F%2Fdocs.google.com%2F&emr=1&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: Iframe src: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=995506&timestamp=1600917182223
      Source: https://accounts.google.com/signin/v2/identifier?service=wise&passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&followup=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: Total size: 1468438
      Source: https://accounts.google.com/signin/v2/identifier?service=wise&passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&followup=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: Total size: 1468438
      Source: https://accounts.google.com/signin/v2/identifier?passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2F&followup=https%3A%2F%2Fdocs.google.com%2F&emr=1&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: Total size: 1461285
      Source: https://accounts.google.com/signin/v2/identifier?passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2F&followup=https%3A%2F%2Fdocs.google.com%2F&emr=1&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: Total size: 1461285
      Source: https://accounts.google.com/signin/v2/identifier?service=wise&passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&followup=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: No <meta name="author".. found
      Source: https://accounts.google.com/signin/v2/identifier?service=wise&passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&followup=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: No <meta name="author".. found
      Source: https://accounts.google.com/signin/v2/identifier?passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2F&followup=https%3A%2F%2Fdocs.google.com%2F&emr=1&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: No <meta name="author".. found
      Source: https://accounts.google.com/signin/v2/identifier?passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2F&followup=https%3A%2F%2Fdocs.google.com%2F&emr=1&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: No <meta name="author".. found
      Source: https://accounts.google.com/signin/v2/identifier?service=wise&passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&followup=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: No <meta name="copyright".. found
      Source: https://accounts.google.com/signin/v2/identifier?service=wise&passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&followup=https%3A%2F%2Fdocs.google.com%2Fabuse%3Fid%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or54L4UuifnON_iK3KWy_vdHU%3A0&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: No <meta name="copyright".. found
      Source: https://accounts.google.com/signin/v2/identifier?passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2F&followup=https%3A%2F%2Fdocs.google.com%2F&emr=1&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: No <meta name="copyright".. found
      Source: https://accounts.google.com/signin/v2/identifier?passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2F&followup=https%3A%2F%2Fdocs.google.com%2F&emr=1&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: No <meta name="copyright".. found
      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEJump to behavior
      Source: msapplication.xml1.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa23f21c0,0x01d69220</date><accdate>0xa23f21c0,0x01d69220</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
      Source: msapplication.xml1.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa23f21c0,0x01d69220</date><accdate>0xa23f21c0,0x01d69220</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
      Source: msapplication.xml6.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa2418433,0x01d69220</date><accdate>0xa2418433,0x01d69220</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
      Source: msapplication.xml6.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa2418433,0x01d69220</date><accdate>0xa2418433,0x01d69220</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
      Source: msapplication.xml8.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa243e669,0x01d69220</date><accdate>0xa243e669,0x01d69220</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
      Source: msapplication.xml8.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa243e669,0x01d69220</date><accdate>0xa243e669,0x01d69220</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
      Source: unknownDNS traffic detected: queries for: themes.googleusercontent.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: msapplication.xml2.1.drString found in binary or memory: http://www.google.com/
      Source: msapplication.xml3.1.drString found in binary or memory: http://www.live.com/
      Source: msapplication.xml4.1.drString found in binary or memory: http://www.nytimes.com/
      Source: msapplication.xml5.1.drString found in binary or memory: http://www.reddit.com/
      Source: msapplication.xml6.1.drString found in binary or memory: http://www.twitter.com/
      Source: msapplication.xml7.1.drString found in binary or memory: http://www.wikipedia.com/
      Source: msapplication.xml8.1.drString found in binary or memory: http://www.youtube.com/
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://accounts.googl
      Source: ServiceLogin[1].htm.2.drString found in binary or memory: https://accounts.google.com/
      Source: m=sy16,sy18,sy1a,sy1b,sy2w,pwd_view[1].js.2.drString found in binary or memory: https://accounts.google.com/Logout
      Source: ServiceLogin[1].htm.2.drString found in binary or memory: https://accounts.google.com/ServiceLogin?continue=https%3A%2F%2Fdocs.google.com%2F&amp;rip=1&amp;noj
      Source: ~DFA27DE76150881E05.TMP.1.drString found in binary or memory: https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://docs.google.com/&followup=
      Source: ~DFA27DE76150881E05.TMP.1.drString found in binary or memory: https://accounts.google.com/ServiceLogin?service=wise&passive=1209600&continue=https://docs.google.c
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://accounts.google.com/TOS?loc=
      Source: ServiceLogin[1].htm0.2.dr, ServiceLogin[1].htm.2.drString found in binary or memory: https://accounts.google.com/TOS?loc=GB&amp;hl=en-GB
      Source: ServiceLogin[1].htm0.2.dr, ServiceLogin[1].htm.2.drString found in binary or memory: https://accounts.google.com/TOS?loc=GB&amp;hl=en-GB&amp;privacy=true
      Source: ~DFA27DE76150881E05.TMP.1.drString found in binary or memory: https://accounts.google.com/signin/v2/identifier?passive=1209600&continue=https%3A%2F%2Fdocs.google.
      Source: ~DFA27DE76150881E05.TMP.1.drString found in binary or memory: https://accounts.google.com/signin/v2/identifier?service=wise&passive=1209600&continue=https%3A%2F%2
      Source: ServiceLogin[1].htm0.2.dr, ServiceLogin[1].htm.2.drString found in binary or memory: https://accounts.youtube.com/accounts/CheckConnection?pmpo
      Source: ~DFA27DE76150881E05.TMP.1.drString found in binary or memory: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=21258
      Source: ~DFA27DE76150881E05.TMP.1.drString found in binary or memory: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=99550
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://api.aadrm.com/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://api.diagnostics.office.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://api.office.net
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://api.onedrive.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://apis.google.com/js/base.js
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://augloop.office.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://cdn.entity.
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://clients.config.office.net/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://config.edge.skype.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://cortana.ai
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://cr.office.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://devnull.onenote.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://directory.services.
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs.g/url?q=https://privacy-store2020.net/xls_ss.php&sa=D&ust=1600888324022000&usg=AOvVaw3-
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs.gRoot
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs.ge.com/ServiceLogin?passive=1209600&continue=https://docs.google.com/&followup=https://
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs.ge.com/ServiceLogin?service=wise&passive=1209600&continue=https://docs.google.com/abuse
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs.ge.com/signin/v2/identifier?passive=1209600&continue=https%3A%2F%2Fdocs.google.com%2F&f
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs.ge.com/signin/v2/identifier?service=wise&passive=1209600&continue=https%3A%2F%2Fdocs.go
      Source: ~DFA27DE76150881E05.TMP.1.drString found in binary or memory: https://docs.google.com/
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs.google.com/&followup=https://docs.google.com/&emr=1
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs.google.com/&followup=https://docs.googltps%3A%2F%2Fdocs.google.com%2F&e
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs.google.com/abuse?id%3DAKkXFabuse%3Fid%3DAKkXjox10EJVxvtAxS
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs.google.com/abuse?id%3DAKkXRoot
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs.google.com/abuse?id%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-
      Source: ~DFA27DE76150881E05.TMP.1.dr, {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs.google.com/abuse?id%3DAKkXjox10EJVxvtAxSfb-IVnhr7RdFzQgNn-WuzgQeTQLduLSG_IyJob_mAUc6or5
      Source: ~DFA27DE76150881E05.TMP.1.dr, {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs.google.com/document/d/e/2PACX-1vTHxokJzX9OUXMh8lBwarsdX5O0hlgmi00z0_BhIg75kdRT_7hBaBMUd
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: css[2].css.2.drString found in binary or memory: https://fonts.google.com/license/googlerestricted
      Source: pub[1].htm.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
      Source: pub[1].htm.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto
      Source: css[2].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlL3Owpg.woff)
      Source: css[1].css0.2.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff)
      Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxM.woff)
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://g.co/
      Source: m=xUdipf,qfNSff,NwH0H,lCVo3d,MB66Qc,L1AAkb,eV9nn,zf3eV,zwU6q,O6y8ed,aW3pY,Z7PiFb,OUAKhb,ZDlobb,CX9aud,O5seLe,nqpTHe,RZunBd,NAySvc,I6YDgd,zUkBoe,BHEQ4d,pNNB8d,KepPLc,sy5h,m5Z1Eb,G0cNr[1].js.2.drString found in binary or memory: https://g.co/recover
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://graph.ppe.windows.net
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://graph.windows.net
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://graph.windows.net/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: pub[1].htm.2.drString found in binary or memory: https://lh4.googleusercontent.com/ogIDUvXbYUCouRpSnwqjWhpW5wmMmYZ755FENWr8q9lUD2rrx5tJaiv2nxI-7dIGil
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://lifecycle.office.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://login.microsoftonline.com/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://login.microsoftonline.com/common
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://login.windows.local
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://management.azure.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://management.azure.com/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://messaging.office.com/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://ncus-000.contentsync.
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://ncus-000.pagecontentsync.
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://officeapps.live.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://onedrive.live.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
      Source: m=xUdipf,qfNSff,NwH0H,lCVo3d,MB66Qc,L1AAkb,eV9nn,zf3eV,zwU6q,O6y8ed,aW3pY,Z7PiFb,OUAKhb,ZDlobb,CX9aud,O5seLe,nqpTHe,RZunBd,NAySvc,I6YDgd,zUkBoe,BHEQ4d,pNNB8d,KepPLc,sy5h,m5Z1Eb,G0cNr[1].js.2.dr, ServiceLogin[1].htm0.2.drString found in binary or memory: https://play.google.com/work/enroll?identifier=
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://powerlift.acompli.net
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: url[1].htm.2.drString found in binary or memory: https://privacy-store2020.net/xls_ss.php
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://privacy-store2020.net/xls_ss.php&sa=D&ust=1600888324022000&usg=AOvVaw3-SnDXIS6OLxRoot
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://privacy-store2020.net/xls_ss.php&sa=D&ust=1600888324022000&usg=AOvVaw3-SnDXIS6OLxe.com/&emr=
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://privacy-store2020.net/xls_ss.php&sa=D&ust=1600888324022000&usg=AOvVaw3-SnDXIS6OLxlilX8VdbPe
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://retailer.osi.office.net/appstate/query
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://settings.outlook.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ad_personalization.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/expanded_initial_settings.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around.svg
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_accounts.svg
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_familylink.svg
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_privacy.svg
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_two_bikes.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/youtube_history.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/account.svg
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/family.svg
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/personal.svg
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/privacy.svg
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/safe.svg
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/verify-email.svg
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/verify.svg
      Source: ServiceLogin[1].htm0.2.dr, ServiceLogin[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/static/_/js/k=gaia.gaiafe_glif.en_GB.LcAlRVZZkdM.O/am=_40fMHAHRKABB
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
      Source: imagestore.dat.2.dr, pub[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/docs/documents/images/kix-favicon7.ico
      Source: imagestore.dat.2.drString found in binary or memory: https://ssl.gstatic.com/docs/documents/images/kix-favicon7.ico~
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/ui/v1/activityindicator/loading.svg
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://store.office.com/addinstemplate
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://store.officeppe.com/addinstemplate
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://support.google.com/accounts/answer/7162782
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://support.google.com/accounts?hl=
      Source: ServiceLogin[1].htm0.2.dr, ServiceLogin[1].htm.2.drString found in binary or memory: https://support.google.com/accounts?hl=en-GB
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://support.google.com/accounts?p=existing-account
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://support.google.com/accounts?p=signin_privatebrowsing
      Source: m=syd,sye,identifier_view[1].js0.2.dr, ServiceLogin[1].htm0.2.drString found in binary or memory: https://support.google.com/chrome/answer/6130773
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://support.google.com/chromebook/?p=familylink_accounts?hl=
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://tasks.office.com
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://templatelogging.office.com/client/log
      Source: pub[1].htm.2.drString found in binary or memory: https://themes.googleusercontent.com/fonts/css?kit=OPeqXG-QxW3ZD8BtmPikfA
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://wus2-000.contentsync.
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://wus2-000.pagecontentsync.
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.dr, ServiceLogin[1].htm0.2.drString found in binary or memory: https://www.google.com
      Source: imagestore.dat.2.drString found in binary or memory: https://www.google.com/favicon.ico
      Source: imagestore.dat.2.drString found in binary or memory: https://www.google.com/favicon.ico~
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://www.google.com/settings/hatsv2
      Source: pub[1].htm.2.drString found in binary or memory: https://www.google.com/url?q=https://privacy-store2020.net/xls_ss.php&amp;sa=D&amp;ust=1600888324022
      Source: ~DFA27DE76150881E05.TMP.1.drString found in binary or memory: https://www.google.com/url?q=https://privacy-store2020.net/xls_ss.php&sa=D&ust=1600888324022000&usg=
      Source: {CB366D75-FE13-11EA-90E3-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://www.google.comm/document/d/e/2PACX-1vTHxokJzX9OUXMh8lBwarsdX5O0hlgmi00z0_BhIg75kdRT_7hBaBMUd
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
      Source: ServiceLogin[1].htm0.2.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
      Source: 3B86F241-C4B4-4184-968B-0150CF51FED6.12.drString found in binary or memory: https://www.odwebp.svc.ms
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
      Source: classification engineClassification label: sus21.expl.win@5/54@4/3
      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\LowJump to behavior
      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
      Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6604 CREDAT:17410 /prefetch:2
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde
      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6604 CREDAT:17410 /prefetch:2Jump to behavior
      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /ddeJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Yara detected password protected xls with embedded macrosShow sources
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\details_2309.xls.b2hlymi.partial, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\details_2309[1].xls, type: DROPPED

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Drive-by Compromise1Exploitation for Client Execution1Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet