Loading ...

Play interactive tourEdit tour

Analysis Report CV.xlsb

Overview

General Information

Sample Name:CV.xlsb
Analysis ID:320216
MD5:08b6718f28bd303f0b407e0ec0f30872
SHA1:824489d6a73609db8763172a2e9f2e9d9f7c63a4
SHA256:65d6c6478fb750394d0517f5ff77fa13dfd354dbbec4cff3ec9e897bf8e3e926
Tags:IcedIDmacrosxlsx

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
IP address seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 5864 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 6552 cmdline: 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5864, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer, ProcessId: 6552

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: http://205.185.113.20/BVd1qKwdVirustotal: Detection: 10%Perma Link
Source: http://205.185.113.20/BVd1qKwdVirustotal: Detection: 10%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: CV.xlsbVirustotal: Detection: 9%Perma Link
Source: CV.xlsbReversingLabs: Detection: 14%
Source: CV.xlsbVirustotal: Detection: 9%Perma Link
Source: CV.xlsbReversingLabs: Detection: 14%

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exeJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exeJump to behavior
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 205.185.113.20:80
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 205.185.113.20:80
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 205.185.113.20:80
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 205.185.113.20:80
Source: Joe Sandbox ViewIP Address: 205.185.113.20 205.185.113.20
Source: Joe Sandbox ViewIP Address: 205.185.113.20 205.185.113.20
Source: global trafficHTTP traffic detected: GET /BVd1qKwd HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 205.185.113.20Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /BVd1qKwd HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 205.185.113.20Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: global trafficHTTP traffic detected: GET /BVd1qKwd HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 205.185.113.20Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /BVd1qKwd HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 205.185.113.20Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 19 Nov 2020 06:13:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 0Connection: keep-aliveCache-Control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0Expires: 0Last-Modified: Thu, 19 Nov 2020 06:13:37 GMTPragma: no-cacheSet-Cookie: _subid=1p924021ov5;Expires=Sunday, 20-Dec-2020 06:13:37 GMT;Max-Age=2678400;Path=/Vary: Accept-Encoding
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 19 Nov 2020 06:13:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 0Connection: keep-aliveCache-Control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0Expires: 0Last-Modified: Thu, 19 Nov 2020 06:13:37 GMTPragma: no-cacheSet-Cookie: _subid=1p924021ov5;Expires=Sunday, 20-Dec-2020 06:13:37 GMT;Max-Age=2678400;Path=/Vary: Accept-Encoding
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.aadrm.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.office.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.onedrive.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://augloop.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://augloop.office.com/v2
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://autodiscover-s.outlook.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.entity.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://config.edge.skype.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cortana.ai
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cr.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://devnull.onenote.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://directory.services.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.windows.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.windows.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://lifecycle.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows.local
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://management.azure.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://management.azure.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://messaging.office.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ncus-000.contentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officeapps.live.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://onedrive.live.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office365.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://powerlift.acompli.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://settings.outlook.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://tasks.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://wus2-000.contentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.aadrm.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.office.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.onedrive.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://augloop.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://augloop.office.com/v2
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://autodiscover-s.outlook.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.entity.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://config.edge.skype.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cortana.ai
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cr.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://devnull.onenote.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://directory.services.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.windows.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.windows.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://lifecycle.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows.local
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://management.azure.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://management.azure.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://messaging.office.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ncus-000.contentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officeapps.live.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://onedrive.live.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office365.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://powerlift.acompli.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://settings.outlook.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://tasks.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://wus2-000.contentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://www.odwebp.svc.ms

System Summary:

barindex
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: CV.xlsbInitial sample: CALL
Source: CV.xlsbInitial sample: CALL
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: CV.xlsbInitial sample: Sheet size: 777285
Source: CV.xlsbInitial sample: Sheet size: 777285
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: classification engineClassification label: mal76.expl.evad.winXLSB@3/5@0/1
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{938ACD9C-333E-4932-A3B0-F7ADCF65D160} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{938ACD9C-333E-4932-A3B0-F7ADCF65D160} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer
Source: CV.xlsbVirustotal: Detection: 9%
Source: CV.xlsbReversingLabs: Detection: 14%
Source: CV.xlsbVirustotal: Detection: 9%
Source: CV.xlsbReversingLabs: Detection: 14%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServerJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServerJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting2DLL Side-Loading1Process Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution22Boot or Logon Initialization ScriptsDLL Side-Loading1Rundll321LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting2NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.