Analysis Report ACH WIRE PAYMENT ADVICE..xlsx

Overview

General Information

Sample Name: ACH WIRE PAYMENT ADVICE..xlsx
Analysis ID: 339280
MD5: a66a202e970df086cc265cb646127bfb
SHA1: c8986173e16bb9b0703490afba594ec5eef08a4a
SHA256: e29c6206512f1f778f1af9a1ff2af2bb82107271e00c873930398b703294d75e

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish_25
Document exploit detected (process start blacklist hit)
Phishing site detected (based on image similarity)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware

Classification

Phishing:

barindex
Yara detected HtmlPhish_25
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ZlFRrg5s[1].htm, type: DROPPED
Phishing site detected (based on image similarity)
Source: https://images.typeform.com/images/nXkRcNPp6wtg/background/large Matcher: Found strong image similarity, brand: Microsoft Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\1380_672153427\LICENSE.txt Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 143.204.93.100:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.100:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.16:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.16:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.224.194.7:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.224.194.7:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.99.83:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.99.83:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.69.177.146:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.69.177.146:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.16:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.190.208.247:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.190.208.247:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.190.208.247:443 -> 192.168.2.4:49807 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Program Files\Google\Chrome\Application\chrome.exe Jump to behavior

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.247.242.19 162.247.242.19
Source: Joe Sandbox View IP Address: 143.204.99.83 143.204.99.83
Source: Joe Sandbox View IP Address: 162.247.242.21 162.247.242.21
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View JA3 fingerprint: b32309a26951912be7dba376398abc3b
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: msapplication.xml0.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xf2252194,0x01d6e9dd</date><accdate>0xf2252194,0x01d6e9dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xf2252194,0x01d6e9dd</date><accdate>0xf227841e,0x01d6e9dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xf229e69a,0x01d6e9dd</date><accdate>0xf229e69a,0x01d6e9dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xf229e69a,0x01d6e9dd</date><accdate>0xf229e69a,0x01d6e9dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xf22c4865,0x01d6e9dd</date><accdate>0xf22c4865,0x01d6e9dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xf22c4865,0x01d6e9dd</date><accdate>0xf22c4865,0x01d6e9dd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: Ruleset Data.19.dr String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: Ruleset Data.19.dr String found in binary or memory: www.facebook.com/ad.*^ajaxpipe^ equals www.facebook.com (Facebook)
Source: Ruleset Data.19.dr String found in binary or memory: www.facebook.com/ad.*^ajaxpipe^^ equals www.facebook.com (Facebook)
Source: Ruleset Data.19.dr String found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: 24mbw17feyn.typeform.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: msapplication.xml.15.dr String found in binary or memory: http://www.amazon.com/
Source: vendors~form.965f5dedbb854e83c6c8[1].js.16.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: msapplication.xml1.15.dr String found in binary or memory: http://www.google.com/
Source: vendors~form.965f5dedbb854e83c6c8[1].js.16.dr String found in binary or memory: http://www.jacklmoore.com/autosize
Source: msapplication.xml2.15.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.15.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.15.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.15.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.15.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.15.dr String found in binary or memory: http://www.youtube.com/
Source: 000003.log4.19.dr, 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://24mbw17feyn.typeform.com
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://24mbw17feyn.typeform.com/oembed?url=https%3A%2F%2F24mbw17feyn.typeform.com%2Fto%2FZlFRrg5s
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5s
Source: History Provider Cache.19.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5s2
Source: ~DFB3BDB7BE4BDCE439.TMP.15.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5s6MlCR0S0FT
Source: History.19.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5sMlCR0S0FT
Source: {1BFCE4E9-55D1-11EB-90EB-ECF4BBEA1588}.dat.15.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5sRoot
Source: ~DFB3BDB7BE4BDCE439.TMP.15.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5sz
Source: f1a10366-1ee1-4f75-bd61-9f6fbc002c7c.tmp.20.dr, manifest.json0.19.dr, 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://accounts.google.com
Source: Ruleset Data.19.dr String found in binary or memory: https://adwords.google.com/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://api.aadrm.com/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://api.cortana.ai
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://api.office.net
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://api.onedrive.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://api.segment.io
Source: f1a10366-1ee1-4f75-bd61-9f6fbc002c7c.tmp.20.dr, manifest.json0.19.dr, 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://apis.google.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://augloop.office.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://cdn.entity.
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://cdn.segment.com
Source: 5b4c207083ca8268_0.19.dr String found in binary or memory: https://cdn.segment.com/analytics.js/v1/9at6spGDYXelHDdz4r0cP73b3wV1f0ri/analytics.min.js
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://clients.config.office.net/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: f1a10366-1ee1-4f75-bd61-9f6fbc002c7c.tmp.20.dr, 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://clients2.google.com
Source: manifest.json.19.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: f1a10366-1ee1-4f75-bd61-9f6fbc002c7c.tmp.20.dr, 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://config.edge.skype.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://content-autofill.googleapis.com
Source: manifest.json0.19.dr String found in binary or memory: https://content.googleapis.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://cortana.ai
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://cortana.ai/api
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://cr.office.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://dev.cortana.ai
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://devnull.onenote.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://directory.services.
Source: ea1248e2-0a9f-4741-8e90-d8c262f479e6.tmp.20.dr, 20e2898a-d285-4d9f-8d10-b7e7f4aba100.tmp.20.dr, f1a10366-1ee1-4f75-bd61-9f6fbc002c7c.tmp.20.dr, 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://dns.google
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: manifest.json0.19.dr String found in binary or memory: https://feedback.googleusercontent.com
Source: f1a10366-1ee1-4f75-bd61-9f6fbc002c7c.tmp.20.dr, 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://fonts.googleapis.com
Source: manifest.json0.19.dr String found in binary or memory: https://fonts.googleapis.com;
Source: f1a10366-1ee1-4f75-bd61-9f6fbc002c7c.tmp.20.dr, 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://fonts.gstatic.com
Source: manifest.json0.19.dr String found in binary or memory: https://fonts.gstatic.com;
Source: renderer.0f5a683b381b67dbbf89[1].js.16.dr String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: vendors~form.965f5dedbb854e83c6c8[1].js.16.dr String found in binary or memory: https://github.com/kof/animationFrame
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://graph.windows.net
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://graph.windows.net/
Source: manifest.json0.19.dr String found in binary or memory: https://hangouts.google.com/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://images.typeform.com
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://images.typeform.com/images/CJr828dpN5yQ/image/default
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://images.typeform.com/images/FYUps4mFKPYK/image/default
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://images.typeform.com/images/nXkRcNPp6wtg/background/large
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://images.typeform.com/images/nXkRcNPp6wtg/background/large);background-position:top
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://lifecycle.office.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://login.windows.local
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://management.azure.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://management.azure.com/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://messaging.office.com/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://ncus-000.contentsync.
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://ncus-000.pagecontentsync.
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://officeapps.live.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: f1a10366-1ee1-4f75-bd61-9f6fbc002c7c.tmp.20.dr, 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://ogs.google.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://onedrive.live.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://outlook.office.com/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://outlook.office365.com/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: manifest.json.19.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: f1a10366-1ee1-4f75-bd61-9f6fbc002c7c.tmp.20.dr, 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://play.google.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://public-assets.typeform.com
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/apple-touch-icon.png
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/browserconfig.xml
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon-16x16.png
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon-32x32.png
Source: imagestore.dat.16.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon-32x32.png-
Source: Favicons.19.dr, ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon.ico
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/safari-pinned-tab.svg
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/site.webmanifest
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: f1a10366-1ee1-4f75-bd61-9f6fbc002c7c.tmp.20.dr String found in binary or memory: https://r5---sn-h0jeln7l.gvt1.com
Source: f1a10366-1ee1-4f75-bd61-9f6fbc002c7c.tmp.20.dr, 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://redirector.gvt1.com
Source: 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://renderer-assets.typeform.com
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://renderer-assets.typeform.com/
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://renderer-assets.typeform.com/blocks-matrix.0544beec0e1a4e11a24a.js
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://renderer-assets.typeform.com/form.9cd5d6381506e5950fe0.js
Source: 06e7ddbb9e13886c_0.19.dr String found in binary or memory: https://renderer-assets.typeform.com/modern-form.49de46ab5c7ed7587b97.js
Source: 45f83ee2a5dff1fd_0.19.dr, ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://renderer-assets.typeform.com/modern-renderer.36eec26e0148023415c0.js
Source: 75b6d577ef7e1c2b_0.19.dr String found in binary or memory: https://renderer-assets.typeform.com/modern-vendors~form.d4cf4f8fd90b06b3c412.js
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://renderer-assets.typeform.com/phonenumber.6ea5ec50b9fa21e816ff.js
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://renderer-assets.typeform.com/renderer.0f5a683b381b67dbbf89.js
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://renderer-assets.typeform.com/vendors~attachment.6e37d3fcdf703c1517e1.js
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://renderer-assets.typeform.com/vendors~blocks-ranking.f8aee16223a106724ea1.js
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://renderer-assets.typeform.com/vendors~form.965f5dedbb854e83c6c8.js
Source: ZlFRrg5s[1].htm.16.dr String found in binary or memory: https://renderer-assets.typeform.com/vendors~phonenumber.32d788474b661d4d3074.js
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: manifest.json.19.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://settings.outlook.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: f1a10366-1ee1-4f75-bd61-9f6fbc002c7c.tmp.20.dr, 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://ssl.gstatic.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://staging.cortana.ai
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: messages.json87.19.dr String found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json87.19.dr String found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://tasks.office.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: 06e7ddbb9e13886c_0.19.dr String found in binary or memory: https://typeform.com/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://wus2-000.contentsync.
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://wus2-000.pagecontentsync.
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: f1a10366-1ee1-4f75-bd61-9f6fbc002c7c.tmp.20.dr, manifest.json0.19.dr, 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://www.google.com
Source: manifest.json.19.dr String found in binary or memory: https://www.google.com/
Source: manifest.json0.19.dr String found in binary or memory: https://www.google.com;
Source: f1a10366-1ee1-4f75-bd61-9f6fbc002c7c.tmp.20.dr, 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json.19.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json0.19.dr String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json0.19.dr String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json.19.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.19.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json0.19.dr String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json0.19.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json0.19.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json0.19.dr String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json0.19.dr String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json.19.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.19.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json0.19.dr String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: f1a10366-1ee1-4f75-bd61-9f6fbc002c7c.tmp.20.dr, 885d0152-61f9-4bc2-8f6d-3463cb597828.tmp.20.dr String found in binary or memory: https://www.gstatic.com
Source: manifest.json0.19.dr String found in binary or memory: https://www.gstatic.com;
Source: D4DE5721-EBA8-4504-8FEE-A00A3563C20B.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown HTTPS traffic detected: 143.204.93.100:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.100:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.16:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.16:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.224.194.7:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.224.194.7:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.99.83:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.99.83:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.69.177.146:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.69.177.146:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.16:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.190.208.247:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.190.208.247:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.190.208.247:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: classification engine Classification label: mal56.phis.expl.winXLSX@45/224@18/11
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{C4007B88-B1AD-451C-A9F5-4D7CE7C996E8} - OProcSessId.dat Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5540 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' -- 'https://24mbw17feyn.typeform.com/to/ZlFRrg5s'
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,8369915553311949587,2127772347523126301,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1720 /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' -- 'https://24mbw17feyn.typeform.com/to/ZlFRrg5s' Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5540 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,8369915553311949587,2127772347523126301,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1720 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\1380_672153427\LICENSE.txt Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339280 Sample: ACH WIRE PAYMENT ADVICE..xlsx Startdate: 13/01/2021 Architecture: WINDOWS Score: 56 46 Yara detected HtmlPhish_25 2->46 48 Phishing site detected (based on image similarity) 2->48 7 EXCEL.EXE 37 38 2->7         started        11 iexplore.exe 1 74 2->11         started        process3 dnsIp4 32 192.168.2.1 unknown unknown 7->32 34 images.typeform.com 7->34 36 2 other IPs or domains 7->36 50 Document exploit detected (process start blacklist hit) 7->50 13 chrome.exe 13 499 7->13         started        17 iexplore.exe 3 49 11->17         started        signatures5 process6 dnsIp7 38 239.255.255.250 unknown Reserved 13->38 22 C:\Users\user\AppData\Local\...\temp-index, x86 13->22 dropped 19 chrome.exe 21 13->19         started        40 162.247.242.19, 443, 49789, 49790 NEWRELIC-AS-1US United States 17->40 42 bam.nr-data.net 162.247.242.21, 443 NEWRELIC-AS-1US United States 17->42 44 11 other IPs or domains 17->44 24 C:\Users\user\AppData\...\ZlFRrg5s[1].htm, HTML 17->24 dropped file8 process9 dnsIp10 26 googlehosted.l.googleusercontent.com 108.177.126.132, 443, 49808 GOOGLEUS United States 19->26 28 54.190.208.247, 443, 49803, 49806 AMAZON-02US United States 19->28 30 11 other IPs or domains 19->30
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.224.194.7
unknown United States
16509 AMAZON-02US false
162.247.242.19
unknown United States
23467 NEWRELIC-AS-1US false
54.190.208.247
unknown United States
16509 AMAZON-02US false
143.204.93.100
unknown United States
16509 AMAZON-02US false
143.204.99.83
unknown United States
16509 AMAZON-02US false
162.247.242.21
unknown United States
23467 NEWRELIC-AS-1US false
239.255.255.250
unknown Reserved
unknown unknown false
108.177.126.132
unknown United States
15169 GOOGLEUS false
143.204.93.16
unknown United States
16509 AMAZON-02US false
54.69.177.146
unknown United States
16509 AMAZON-02US false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
d296je7bbdd650.cloudfront.net 143.204.99.83 true
api.segment.io 54.69.177.146 true
d2citsn5wf4j9j.cloudfront.net 143.204.93.100 true
d2nvsmtq2poimt.cloudfront.net 143.204.93.16 true
bam.nr-data.net 162.247.242.21 true
googlehosted.l.googleusercontent.com 108.177.126.132 true
d2p6vz8nayi9a3.cloudfront.net 13.224.194.7 true
clients2.googleusercontent.com unknown unknown
cdn.segment.com unknown unknown
renderer-assets.typeform.com unknown unknown
public-assets.typeform.com unknown unknown
js-agent.newrelic.com unknown unknown
images.typeform.com unknown unknown
24mbw17feyn.typeform.com unknown unknown